Header bannerHeader banner
Advisory ID:
BRLY-2022-009

[BRLY-2022-009] The arbitrary write vulnerability leads to arbitrary code execution during PEI phase on Intel platform.

August 10, 2022
Severity:
High
CVSS Score
8.2
Public Disclosure Date:
August 10, 2022

Summary

Binarly REsearch Team has discovered a arbitrary write vulnerability on Intel platforms allowing a possible attacker to execute arbitrary code during PEI phase.
Vendors Affected Icon

Vendors Affected

Intel
Affected Products icon

Affected Products

Intel Server Board M10JNP2SB

Potential Impact

A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages. This can lead to the mitigasions bypassing, physical memory contents disclosure, discovery of any secrets from any Virtual Machines (VMs) and bypassing memory isolation and confidential computing boundaries. Additionally, an attacker can build a payload which can be injected into the SMRAM memory.

Summary

Binarly REsearch Team has discovered an arbitrary write vulnerability on Intel platforms allowing a possible attacker to execute arbitrary code during PEI phase.

Vulnerability Information

  • BINARLY internal vulnerability identifier: BRLY-2022-009
  • Intel PSIRT assigned CVE identifier: CVE-2022-36372
  • AMI PSIRT assigned CVE identifier: CVE-2022-40262
  • CERT/CC assigned case number: VU#158026
  • FwHunt rule: BRLY-2022-009
  • CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Intel firmwares with confirmed impact by Binarly REsearch Team

Device/Firmware File Name SHA256 (File PE32 section) File GUID
Intel Server Board M10JNP2SB S3Resume2Pei 7bb29f05534a8a1e010443213451425098faebd45948a4642db969b19d0253fc 89E549B0-7CFE-449D-9BA3-10D8B2312D71

Potential impact

A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages. This can lead to the mitigasions bypassing, physical memory contents disclosure, discovery of any secrets from any Virtual Machines (VMs) and bypassing memory isolation and confidential computing boundaries. Additionally, an attacker can build a payload which can be injected into the SMRAM memory.

Vulnerability description

The pseudocode for vulnerable function is shown below:

int sub_FFEBFB2C()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  DataSize = 4;
  S3PerformanceTablePointer = 0;
  Status = sub_FFEC0607(&EFI_PEI_READ_ONLY_VARIABLE2_PPI_GUID, &This);
  if ( Status >= 0 )
  {
    Status = This->GetVariable(
               This,
               L"FPDT_Variable_NV",
               &AMI_GLOBAL_VARIABLE_GUID,
               0,
               &DataSize,
               &S3PerformanceTablePointer);
    if ( Status >= 0 )
    {
      Status = S3PerformanceTablePointer;
      // Extracted from memory pointed by FPDT_Variable_NV variable value
      AcpiS3PerformanceTable = S3PerformanceTablePointer->AcpiS3PerformanceTable;
      if ( *S3PerformanceTablePointer->AcpiS3PerformanceTable == 'TP3S' )
      {
        if ( *&S3PerformanceTablePointer->ResumeCount )
        {
          if ( !AcpiS3PerformanceTable->S3Resume.Header.Type )
          {
            S3ResumeTotal = MultU64x32(__rdtsc(), *&S3PerformanceTablePointer->ResumeCount);
            LODWORD(v3) = S3ResumeTotal;
            HIDWORD(v3) = HIDWORD(S3ResumeTotal) % 0xF4240;
            FullResumeLo = v3 / 0xF4240;
            FullResumeHi = HIDWORD(S3ResumeTotal) / 0xF4240;
            v6 = __PAIR64__(HIDWORD(S3ResumeTotal) / 0xF4240, FullResumeLo)
               + AcpiS3PerformanceTable->S3Resume.AverageResume * AcpiS3PerformanceTable->S3Resume.ResumeCount;
            ResumeCount = AcpiS3PerformanceTable->S3Resume.ResumeCount + 1;
            LODWORD(v3) = v6;
            HIDWORD(v3) = HIDWORD(v6) % ResumeCount;
            Status = v3 / ResumeCount;
            AcpiS3PerformanceTable->S3Resume.ResumeCount = ResumeCount;
            LODWORD(AcpiS3PerformanceTable->S3Resume.AverageResume) = Status;
            HIDWORD(AcpiS3PerformanceTable->S3Resume.AverageResume) = HIDWORD(v6) / ResumeCount;
            LODWORD(AcpiS3PerformanceTable->S3Resume.FullResume) = FullResumeLo;
            HIDWORD(AcpiS3PerformanceTable->S3Resume.FullResume) = FullResumeHi;
          }
        }
      }
    }
  }
  return Status;
}

The AcpiS3PerformanceTable pointer is controlled by the attacker:  * S3PerformanceTablePointer value is occured from value of FPDT_Variable_NV NVRAM variable  * AcpiS3PerformanceTable = S3PerformanceTablePointer->AcpiS3PerformanceTable (extracted from memory pointed by FPDT_Variable_NV variable value)

Thus the memory pointed to by AcpiS3PerformanceTable can be overwritten with predictable values:

AcpiS3PerformanceTable->S3Resume.ResumeCount = ResumeCount;
LODWORD(AcpiS3PerformanceTable->S3Resume.AverageResume) = Status;
HIDWORD(AcpiS3PerformanceTable->S3Resume.AverageResume) = HIDWORD(v6) / ResumeCount;
LODWORD(AcpiS3PerformanceTable->S3Resume.FullResume) = FullResumeLo;
HIDWORD(AcpiS3PerformanceTable->S3Resume.FullResume) = FullResumeHi;

This can lead to arbitrary write during the PEI stage.

The primitive described above allows to perform privilege escalation from the PEI to the DXE/SMM phase (or from PEI to the SMM during S3 sleep/wake up circle).In turn, code execution in PEI allows the disable security features that are initialized at the PEI-DXE junction (like PPAM or Intel BIOS Guard).

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity Date
Intel PSIRT is notified 2022-03-22
Intel PSIRT confirmed reported issue 2022-07-28
Intel PSIRT assigned CVE number 2022-07-28
BINARLY public disclosure date 2022-08-10

Acknowledgements

Binarly REsearch Team

Tags
PEI
FWHunt
See if you are impacted now with our Firmware Vulnerability Scanner