A recently patched vulnerability in the NVIDIA GeForce Experience (GFE) could be exploited for the execution of arbitrary commands on affected systems, Rhino Security Labs reveals.

The NVIDIA GFE is a companion application installed alongside GeForce drivers, which allows users to capture and share videos, screenshots, and live streams, while also providing the means to keep drivers updated and game settings optimized. 

Tracked as CVE-2019-5678 and residing in a local “Web Helper” server that GFE launches on startup, the vulnerability could be exploited by tricking a victim into visiting a crafted web site and making a few key presses, David Yesland, security researcher with Rhino Security Labs, says.

“NVIDIA GeForce Experience contains a vulnerability in the Web Helper component, in which an attacker with local system access can craft input that may not be properly validated. Such an attack may lead to code execution, denial of service or information disclosure,” NVIDIA notes in an advisory.

At startup, GFE launches a local API server to control different aspects of the application, and all changes users made from the GUI interface likely make calls to the local API. The server, however, only accepts authenticated requests and Yesland says he could not find a bypass. 

He did find, however, that it was possible to make valid requests to the server even from a different Origin like an attacker controlled web site, provided that one was able to obtain the secret token. The attack, however, would be performed via a browser, as the implemented CORS policy allows for the request to come from any Origin. 

“This attack still required having knowledge of the secret token. The only way around this is if a user could be tricked into uploading the file containing the token. But since the secret token file has a static path and name this could be achieved fairly easily in the browser, which would only require the user to press a couple keys to achieve command injection,” Yesland explains. 

In Chrome, the researcher explains, the exploit requires pressing three keys, CTRL+V+Enter, which allows the copying of arbitrary text to the clipboard. In Firefox, however, “this step would require a mouse click of some kind,” he notes. 

The attack does require some user interaction, but it is minimal enough to trivially trick a user into performing the actions.

“The real issue here seems to be that the API allows Cross Origin Resource Sharing from any Origin, which means it is possible to perform an XHR request to any of the endpoints through the browser if the secret token were obtained through any method,” the security researcher says. 

NVIDIA addressed this vulnerability in the latest release of GFE by removing the endpoint which allows the command injection. The open CORS policy, however, hasn’t been changed and the nodejs.json file remains at a static location, meaning that it is still possible to interact with the API through the browser. 

Another security flaw that NVIDIA patched in GFE resides in the application incorrectly loading Windows system DLLs without validating the path or signature, which could be exploited by an attacker with local system access to escalate privileges through code execution. 

Related: NVIDIA Patches High Severity Bugs in GPU Display Driver

Related: NVIDIA Patches Serious Flaw in GeForce Experience Software