Header bannerHeader banner
Advisory ID:
BRLY-LOGOFAIL-2023-001

[BRLY-LOGOFAIL-2023-001] Memory contents leak / information disclosure vulnerability in DXE driver

June 20, 2024
Severity:
Medium
CVSS Score
6
Public Disclosure Date:
June 19, 2024

Summary

Binarly REsearch Team has discovered a memory contents leak / information disclosure vulnerability. BmpHeader->ImageOffset is not validated during parsing of arbitrary BMP file on Insyde firmware. The attacker can make it as high as 0xFFFFFFFF and thus display the contents of physical memory (in the form of pixels).
Vendors Affected Icon

Vendors Affected

Lenovo
Insyde
Affected Products icon

Affected Products

Yoga 7 14IAL7

Potential Impact

An attacker with local privileged access can exploit this vulnerability to read the contents of the physical memory and use this information to exploit other vulnerabilities in DXE. A malicious code installed as a result of the vulnerability exploitation in a DXE driver could survive across an operating system (OS) boot process and runtime or modify NVRAM area on SPI flash storage (to gain persistence on target platform). Additionally, this vulnerability potentially could be used by threat actors to bypass OS security mechanisms (modify privileged memory or runtime variables), influence on the OS boot process, and in some cases would allow an attacker to hook or modify EFI Runtime services.

Summary

Binarly REsearch Team has discovered a memory contents leak / information disclosure vulnerability. BmpHeader->ImageOffset is not validated during parsing of arbitrary BMP file on Insyde firmware. The attacker can make it as high as 0xFFFFFFFF and thus display the contents of physical memory (in the form of pixels).

Vulnerability Information

     
  • BINARLY internal vulnerability identifier: BRLY-LOGOFAIL-2023-001  
  • Insyde PSIRT assigned CVE identifier: CVE-2023-40238  
  • CVSS v3.1: 6.0 Medium AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Affected modules with confirmed impact by Binarly REsearch Team

Module name Module GUID Module SHA256
BmpDecoderDxe a9f634a5-29f1-4456-a9d5-6e24b88bdb65 02034e3bdc02ef843651611c1f97f8f2a1deb0be78f9085ac40077eba4260128

Potential impact

An attacker with local privileged access can exploit this vulnerability to read the contents of the physical memory and use this information to exploit other vulnerabilities in DXE. A malicious code installed as a result of the vulnerability exploitation in a DXE driver could survive across an operating system (OS) boot process and runtime or modify NVRAM area on SPI flash storage (to gain persistence on target platform). Additionally, this vulnerability potentially could be used by threat actors to bypass OS security mechanisms (modify privileged memory or runtime variables), influence on the OS boot process, and in some cases would allow an attacker to hook or modify EFI Runtime services.

Vulnerability description

The pseudocode of the vulnerable function is shown below:

unsigned __int64 __fastcall DecodeBMP(
        BMP_IMAGE *Image,
        unsigned __int64 ImageSize,
        __int64 *a3,
        unsigned __int64 *a4,
        _QWORD *a5,
        _QWORD *a6)
{
  __int64 PixelWidth; // r9
  __int64 BitPerPixel; // rdx
  __int64 PixelHeight; // r10
  unsigned __int64 v12; // rcx
  __int64 ImageOffset; // r8
  unsigned int v14; // r12d
  int v15; // ecx
  UINT32 NumberOfColors; // eax
  CHAR8 *v17; // rbx
  unsigned __int64 v18; // rsi
  __int64 v19; // rcx
  __int64 v20; // rax
  __int64 v22; // r15
  unsigned __int64 v23; // rdx
  unsigned __int64 v24; // rsi
  __int64 v25; // rcx
  unsigned __int64 v26; // r9
  CHAR8 *v27; // r8
  __int64 v28; // rcx
  CHAR8 v29; // al
  CHAR8 v30; // al
  __int64 v31; // rax
  unsigned __int64 v32; // rcx
  __int64 v33; // rcx
  unsigned __int64 v34; // r10
  char v35; // al
  unsigned __int64 v36; // rbx
  __int64 v37; // rdi
  char v38; // [rsp+20h] [rbp-38h]
  char v39; // [rsp+68h] [rbp+10h]

  if ( ImageSize < 0x36 )
    return 0x8000000000000002ui64;
  if ( Image->BmpHeader.CharB != 66
    || Image->BmpHeader.CharM != 77
    || Image->BmpHeader.CompressionType > 2
    || Image->BmpHeader.HeaderSize != 40 )
  {
    return 0x8000000000000003ui64;
  }
  PixelWidth = Image->BmpHeader.PixelWidth;
  BitPerPixel = Image->BmpHeader.BitPerPixel;
  PixelHeight = Image->BmpHeader.PixelHeight;
  v12 = PixelHeight * (((unsigned int)(BitPerPixel * Image->BmpHeader.PixelWidth + 31) >> 3) & 0x1FFFFFFC);
  if ( v12 > 0xFFFFFFFF )
    return 0x8000000000000002ui64;
  // BRLY-LOGOFAIL-2023-001: Lack of BmpHeader->ImageOffset validation will lead to OOB Read
  ImageOffset = Image->BmpHeader.ImageOffset;
  if ( (unsigned int)ImageOffset < 0x36 )
    return 0x8000000000000002ui64;
  v14 = 0;
  if ( (unsigned int)ImageOffset > 0x36 )
  {
    BitPerPixel = (unsigned int)(BitPerPixel - 1);
    if ( (_DWORD)BitPerPixel )
    {
      BitPerPixel = (unsigned int)(BitPerPixel - 3);
      if ( (_DWORD)BitPerPixel )
      {
        if ( (_DWORD)BitPerPixel == 4 )
          v15 = 256;
        else
          v15 = 0;
      }
      else
      {
        v15 = 16;
      }
    }
    else
    {
      v15 = 2;
    }
    NumberOfColors = Image->BmpHeader.NumberOfColors;
    if ( !NumberOfColors )
      NumberOfColors = v15;
    v14 = NumberOfColors;
    v12 = 4i64 * NumberOfColors;
    if ( ImageOffset - 54 < v12 )
      return 0x8000000000000002ui64;
  }
  v17 = &Image->BmpHeader.CharB + ImageOffset;
  v38 = (_BYTE)Image + ImageOffset;
  if ( (unsigned __int64)(PixelHeight * PixelWidth) > 0x3FFFFFFFFFFFFFFFi64 )
    return 0x8000000000000003ui64;
  v18 = 4 * PixelHeight * PixelWidth;
  if ( v18 >= 0x100000000i64 )
    return 0x8000000000000003ui64;
  v39 = 0;
  if ( *a3 )
  {
    if ( *a4 < v18 )
    {
      *a4 = v18;
      return 0x8000000000000005ui64;
    }
  }
  else
  {
    *a4 = v18;
    if ( (unsigned __int8)sub_D5C(v12, BitPerPixel, ImageOffset, PixelWidth) )
      v20 = sub_DAC(v19, (v18 >> 12) + ((v18 & 0xFFF) != 0));
    else
      v20 = sub_DE4(v19, v18);
    *a3 = v20;
    v39 = 1;
    if ( !v20 )
      return 0x8000000000000009ui64;
    LODWORD(PixelWidth) = Image->BmpHeader.PixelWidth;
  }
  *a6 = (unsigned int)PixelWidth;
  *a5 = Image->BmpHeader.PixelHeight;
  v22 = *a3;
  if ( Image->BmpHeader.CompressionType == 1 )
  {
    if ( v18 )
      sub_330(*a3, v18, 0i64);
    sub_740(v22, v17, &Image->field_36, Image);
    return 0i64;
  }
  if ( Image->BmpHeader.CompressionType == 2 )
  {
    if ( v18 )
      sub_330(*a3, v18, 0i64);
    sub_540(v22, v17, &Image->field_36, Image);
    return 0i64;
  }
  v23 = Image->BmpHeader.PixelHeight;
  v24 = 0i64;
  if ( !(_DWORD)v23 )
    return 0i64;
  while ( 1 )
  {
    v25 = Image->BmpHeader.PixelWidth;
    v26 = 0i64;
    v27 = (CHAR8 *)(v22 + 4 * v25 * ((unsigned int)v23 - v24 - 1));
    if ( (_DWORD)v25 )
      break;
LABEL_62:
    if ( (((_BYTE)v17 - v38) & 3) != 0 )
      v17 += 4i64 - (((_BYTE)v17 - v38) & 3);
    ++v24;
    v23 = Image->BmpHeader.PixelHeight;
    if ( v24 >= v23 )
      return 0i64;
  }
  while ( 1 )
  {
    switch ( Image->BmpHeader.BitPerPixel )
    {
      case 1u:
        v34 = 0i64;
        do
        {
          if ( v26 >= Image->BmpHeader.PixelWidth )
            break;
          v23 = ((unsigned __int8)*v17 >> (7 - v34)) & 1;
          if ( (unsigned int)v23 >= v14 )
            return 0x8000000000000002ui64;
          ++v26;
          v35 = 7 - v34++;
          v27[2] = *((_BYTE *)&Image->field_36 + 4 * (((unsigned __int64)(unsigned __int8)*v17 >> v35) & 1) + 2);
          v27[1] = *((_BYTE *)&Image->field_36 + 4 * (((unsigned __int64)(unsigned __int8)*v17 >> v35) & 1) + 1);
          *v27 = *((_BYTE *)&Image->field_36 + 4 * (((unsigned __int64)(unsigned __int8)*v17 >> v35) & 1));
          v27 += 4;
        }
        while ( v34 < 8 );
        v27 -= 4;
        --v26;
        goto LABEL_61;
      case 4u:
        v32 = (unsigned __int64)(unsigned __int8)*v17 >> 4;
        if ( (unsigned int)v32 >= v14 )
          return 0x8000000000000002ui64;
        v27[2] = *((_BYTE *)&Image->field_36 + 4 * v32 + 2);
        v27[1] = *((_BYTE *)&Image->field_36 + 4 * v32 + 1);
        *v27 = *((_BYTE *)&Image->field_36 + 4 * v32);
        if ( v26 < Image->BmpHeader.PixelWidth - 1 )
        {
          v27 += 4;
          v33 = *v17 & 0xF;
          ++v26;
          if ( (unsigned int)v33 >= v14 )
            return 0x8000000000000002ui64;
          v27[2] = *((_BYTE *)&Image->field_36 + 4 * v33 + 2);
          v27[1] = *((_BYTE *)&Image->field_36 + 4 * v33 + 1);
          *v27 = *((_BYTE *)&Image->field_36 + 4 * v33);
        }
        goto LABEL_61;
      case 8u:
        v31 = (unsigned __int8)*v17;
        if ( (unsigned int)v31 >= v14 )
          return 0x8000000000000002ui64;
        v27[2] = *((_BYTE *)&Image->field_36 + 4 * v31 + 2);
        v27[1] = *((_BYTE *)&Image->field_36 + 4 * (unsigned __int8)*v17 + 1);
        *v27 = *((_BYTE *)&Image->field_36 + 4 * (unsigned __int8)*v17);
        goto LABEL_61;
      case 0x10u:
        *v27 = (8 * *v17) | ((unsigned __int8)*v17 >> 2) & 7;
        v27[1] = (8 * (*(_WORD *)v17 >> 5)) | (*(_WORD *)v17 >> 7) & 7;
        v27[2] = (8 * (*(_WORD *)v17 >> 10)) | (*(_WORD *)v17 >> 12) & 7;
        ++v17;
        goto LABEL_61;
    }
    v28 = (unsigned int)Image->BmpHeader.BitPerPixel - 24;
    if ( Image->BmpHeader.BitPerPixel == 24 )
    {
      *v27 = *v17;
      v30 = v17[1];
      v17 += 2;
      v27[1] = v30;
      v27[2] = *v17;
      goto LABEL_61;
    }
    if ( Image->BmpHeader.BitPerPixel != 32 )
      break;
    *v27 = *v17;
    v27[1] = v17[1];
    v29 = v17[2];
    v17 += 3;
    v27[2] = v29;
LABEL_61:
    ++v26;
    ++v17;
    v27 += 4;
    if ( v26 >= Image->BmpHeader.PixelWidth )
      goto LABEL_62;
  }
  if ( v39 )
  {
    v36 = *a4;
    v37 = *a3;
    if ( (unsigned __int8)sub_D5C(v28, v23, v27, v26) )
      (*(void (__fastcall **)(__int64, unsigned __int64))(qword_EA0 + 48))(v37, (v36 >> 12) + ((v36 & 0xFFF) != 0));
    else
      (*(void (__fastcall **)(__int64))(qword_EA0 + 72))(v37);
    *a3 = 0i64;
  }
  return 0x8000000000000003ui64;
}

As we can see from the pseudocode, BmpHeader->ImageOffset is not validated. The attacker can make it as high as 0xFFFFFFFF and thus display the contents of physical memory (in the form of pixels) at any offset.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity Date (YYYY-mm-dd)
Lenovo PSIRT is notified 2023-06-21
Lenovo ID (LEN-132940) is assigned 2023-06-22
CERT/CC is notified 2023-07-10
Insyde PSIRT confirmed reported issues 2023-09-10
Insyde PSIRT assigned CVE ID 2023-11-27
Insyde advisory release date 2023-12-06
BINARLY public disclosure date 2024-06-19

Acknowledgements

Binarly REsearch Team

Tags
Vulnerability
supply chain
FWHunt
See if you are impacted now with our Firmware Vulnerability Scanner