My First 2020 [NonTroll] CVE - DLL Hijacking in NVIDIA System Management Interface (SMI)

CVE‑2020‑5980 affects NVIDIA Windows GPU Display Driver which contains a vulnerability in multiple components where a securely loaded system DLL will load its dependencies in an insecure fashion. This is my first CVE of 2020 that's not a HoneyPoC.

• CVSS3.0 Score: 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What is NVIDIA SMI?

The NVIDIA System Management Interface (nvidia-smi) is a command line utility, based on top of the NVIDIA Management Library (NVML), intended to aid in the management and monitoring of NVIDIA GPU devices.

The utility allows administrators to query GPU device state and with the appropriate privileges, permits administrators to modify GPU device state.  It comes pre-bundled with all NVIDIA drivers and as a result is probably installed on your machine if you've got a NVIDIA card in your machine.

What is DLL Hijacking?

Dynamic-Link Library (DLL) search order hijacking, often shortened to DLL hijacking, is a process of exploiting execution flow of an application via external DLLs. Essentially it is possible to force an application to load a malicious DLL by hijacking the search order used to load legitimate content.

If a vulnerable application is configured to run at a higher privilege level, then the malicious DLL that is loaded will also be executed at the higher level thus achieving escalation of privilege. Often the application will behave no differently  because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace or where a DLL doesn't

Finding The Issue

While playing around with SpecterOps' automated dll hijacking discovery I found an NVIDIA DLL what was vulnerable to hijack.

The issue was found by leveraging Sysinternals Process Explorer, to search through running processes for all DLLs loaded and called by running applications. The following steps can be taken:

1) Start Process Monitor with the following filters, to identify potentially vulnerable applications and binaries.

• Result contains NOT FOUND
• Path ends with .dll

2) Export the running list to a CSV then leverage slyd0g's Get-PotentialDLLHijack script that can be found here.

3) Following execution against the CSV it was found that nvidia-smi along with a few other binaries were vulnerable:

Get-PotentialDLLHijack -CSVPath .\ProcessList.CSV -MaliciousDLLPath .\maliciousDLL.dll -ProcessPath "C:\Program Files\NVIDIA Corporation\NVSMI\nvidia-smi.exe"

The process nvidia-smi.exe attempted to read the following DLL:

C:\Program Files\NVIDIA Corporation\NVSMI\MSASN1.dll

However as the DLL does not exist we as the attacker can replace it with our own malicious one and hijack the path of execution so that the binary calls our DLL instead.

Copy-Item maliciousDLL.dll C:\Program Files\NVIDIA Corporation\NVSMI\MSASN1.dll

Then by stopping the nvidia-smi.exe process we can then start it with our newly created malicious DLL. The contents of which can be anything, in the case of this proof of concept I have used cobalt strike shellcode to illustrate execution of attacker controlled code, this technique can be leveraged for both persistence and privilege escalation.

The issue works whereby the folder where the DLL is located had overly permissive permissions and enabled dropping an arbitrary DLL into the folder.

Fixing The Issue

NVIDIA have released a patch for the issue that can be found here. Apply this or alternatively uninstall nvidia-smi if not required.

Disclosure Timeline

2020-07-01 Discovered and reported finding to NVIDIA PSIRT
2020-07-02 NVIDIA confirmed issue as valid and began investigating
2020-08-18 NVIDIA confirmed that the issue would be fixed in their next GPU Security Rollout update to be released on September 30^th 2020.
2020-10-05 NVIDIA release patch for all GeForce graphics cards.
2020-10-30 Blog published and issue fix released in bulletin, CVE-2020-5980