Greg Linares

Greg Linares

07-04-2022

14:56

I was gonna do a talk about this class of vulnerability but I dont have the time nor the health, so I'll just drop 0day: Hopefully someone can run with this instead and make a tool or talk Node.JS processing and private node.js packaging is not just present in Adobe... A ๐Ÿ’ฆ๐Ÿงต

Logitech and NVIDIA also package their own custom Node.js with their tools LogiOptions & Geforce Experience So what does this mean? It means by editing JS files on a machine you can get SYSTEM or Kernel privileges. Thats right by editing text files -> SYSTEM/Kernel Why? How?

We'll lets start off with their privileges: They are both installed with User level privileges in AppData folders Logitech uses it an integrator with other apps like Discord and Adobe Nvidia uses it for the entire backend for Nvidia Geforce Experience

So what can you do with these and how can they be abused: You can modify the JSON and JS files mentioned in order to: - arbitrary download binaries - ignore download checksums - execute commands as SYSTEM - C2 on the behalf of applications - perform file I/O as SYSTEM etc.

For these and other vendors their actual downloading code and checksum validations are written in the JS files themselves (!) You can literally just edit them to bypass the checksums all together Its quite ridiculous, however it seems NVIDIA is making some changes lately

They appear to have moved some of the resources from APPDATA local to Program files during execution in some instances (not all) Regardless I wrote a PoC malicious Office file that would modify the JSON of these files and then install a driver on the behalf of NVIDIA in Dec

A good generic tool should scan the local appdata and program file folders for instances of NODE.JS or JSON files (Maybe not Microsoft Store instances) and then have templates for trojanizing each vendor's custom NodeJS and JSON. Would be a fun project for someone :)

Oh another thing to add is to do a process search for anything running with node.exe or *.js in command line (they all dont use node.exe) And another vector for attacking these would be editing their config.XML files and just hosting your own backend website

The other folder to exploit for NVIDIA is this one

Nvidia Web Helper.exe is the process to exploit as well

if you are digging into this now the files to look at initially are: NvAutoDownload.js NvAutoDriverDownload.js downloader.js

Alternatively you could also just abuse the .NODE files which are actually just PE binaries that are used by NVIDIA to perform File IO, download, and execution



Follow us on Twitter

to be informed of the latest developments and updates!


You can easily use to @tivitikothread bot for create more readable thread!
Donate ๐Ÿ’ฒ

You can keep this app free of charge by supporting ๐Ÿ˜Š

for server charges...