Header bannerHeader banner

[BRLY-2022-020] The stack buffer overflow vulnerability leads to arbitrary code execution.

March 23, 2023

Summary

BINARLY efiXplorer team has discovered a stack buffer overflow vulnerability that allows a attacker to execute arbitrary code.

Vulnerability Information

  • BINARLY internal vulnerability identifier: BRLY-2022-020
  • Insyde PSIRT assigned CVE identifier: CVE-2022-35407
  • FwHunt rule: BRLY-2022-020
  • CVSS v3.1 Score 7.7 High AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Affected Insyde firmwares with confirmed impact by Binarly team

Fimware Module name Module SHA256 File GUID
Framework_Laptop_12th_Gen_Intel_Core_capsule_EFI_signed_allsku_3.01.bin SetupUtility f0f2cbcd94a31c7d202b0d99a24a2168ac3a877ce70cf92e7e416f20445d9f39 fe3542fe-c1d3-4ef8-657c-8048606ff670

Potential impact

An attacker with local privileged access can exploit this vulnerability to elevate privileges from ring 3 or ring 0 (depends on the operating system) to a DXE Runtime UEFI application and execute arbitrary code.A malicious code installed as a result of the vulnerability exploitation in a DXE driver could survive across an operating system (OS) boot process and runtime or modify NVRAM area on SPI flash storage (to gain persistence on target platform).Additionally, this vulnerability potentially could be used by threat actors to bypass OS security mechanisms (modify privileged memory or runtime variables), influence on the OS boot process, and in some cases would allow an attacker to hook or modify EFI Runtime services.

Vulnerability description

The pseudocode of the vulnerable function is shown below:

EFI_STATUS sub_21468()
{
  // [COLLAPSED LOCAL DECLARATIONS]

  memset(MeSetupStorageData, 0, 0x11);
  memset(MeBackupStorageData, 0, 0x11);
  DataSize = 1250;
  gRT->GetVariable(aSetup, &DRIVER_SAMPLE_FORM_SET_GUID, 0, &DataSize, Data);
  v4 = gBS->LocateProtocol(&ProprietaryProtocol_10, 0, &Interface);
  result = sub_2D178(v0);
  if ( !result && v4 >= 0 )
  {
    DataSize = 17;
    gRT->GetVariable(L"MeSetupStorage", &gVariableGuid, 0, &DataSize, MeSetupStorageData);
    gRT->GetVariable(L"MeBackupStorage", &gVariableGuid, 0, &DataSize, MeBackupStorageData);
    DataSize = 54;
    gRT->GetVariable(aMesetup, &gVariableGuid, 0, &DataSize, &unk_119A20);
    sub_29338(v11);
    if...
    if...
    v2 = MeBackupStorageData[1];
    if...
    if...
    if...
    v3 = MeBackupStorageData[6];
    if...
    if...
    if...
    if...
    if...
    if...
    gRT->SetVariable(L"MeBackupStorage", &gVariableGuid, 2, 0x11, MeSetupStorageData);
    return gRT->SetVariable(aSetup, &DRIVER_SAMPLE_FORM_SET_GUID, 2, 0x4E2, Data);
  }
  return result;
}

Consider following code snippet:

DataSize = 17;
gRT->GetVariable(L"MeSetupStorage", &gVariableGuid, 0, &DataSize, MeSetupStorageData);
gRT->GetVariable(L"MeBackupStorage", &gVariableGuid, 0, &DataSize, MeBackupStorageData);

A potential attacker can change the values of the MeSetupStorage and MeBackupStorage variables.If the size of the value of the MeSetupStorageData variable is greater than 17, then after the first call to the gRT->GetVariable() service, the DataSize variable will be overwritten (this means that the attacker is in control of the DataSize variable).The second call to gRT->GetVariable() (for the MeBackupStorage variable) can lead to a stack overflow and arbitrary code execution.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity Date
Framework PSIRT is notified 2021-06-27
Insyde PSIRT confirmed reported issue 2022-07-19
Insyde PSIRT assigned CVE number 2022-07-27
Insyde provide patch release 2022-11-04
BINARLY public disclosure date 2023-03-21

Acknowledgements

BINARLY efiXplorer team

Tags
No items found.