Header bannerHeader banner
Advisory ID:
BRLY-LOGOFAIL-2023-014

[BRLY-LOGOFAIL-2023-014] Out-of-bounds Read in DXE driver

June 20, 2024
Severity:
Low
CVSS Score
3.2
Public Disclosure Date:
June 19, 2024

Summary

Binarly REsearch Team has discovered a OOB Read vulnerability in DXE driver. Improper validation of PNG chunk length during PNG file processing in AMI firmware leads to OOB read.
Vendors Affected Icon

Vendors Affected

Lenovo
AMI
Affected Products icon

Affected Products

ThinkCentre M75q Gen 2

Potential Impact

This vulnerability will not lead to exploitation, however, it may lead to unexpected behaviour during PNG file processing.

Summary

Binarly REsearch Team has discovered a OOB Read vulnerability in DXE driver. Improper validation of PNG chunk length during PNG file processing in AMI firmware leads to OOB read.

Vulnerability Information

     
  • BINARLY internal vulnerability identifier: BRLY-LOGOFAIL-2023-014  
  • CVSS v3.1: 3.2 Low AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

Affected modules with confirmed impact by Binarly REsearch Team

Module name Module GUID Module SHA256
AMITSE b1da0adf-4f77-4070-a88e-bffe1c60529a 439e73d391b7f7540f6faa58afdc2722bda250468d4a4f7f5f84228c1f77ddbe

Potential impact

This vulnerability will not lead to exploitation, however, it may lead to unexpected behaviour during PNG file processing.

Vulnerability description

The pseudocode of the vulnerable function is shown below:

unsigned __int8 *GetImageSize()
{
  unsigned int ImageSize; // ebx
  unsigned __int8 *result; // rax
  __int64 ImagePtrCursor; // r9
  unsigned __int8 *v3; // rcx
  __int64 v4; // r10
  __int64 v5; // r9
  unsigned __int8 *v6; // rcx
  __int64 v7; // rdx
  unsigned int Length; // r11d
  unsigned __int8 *v9; // [rsp+30h] [rbp+8h] BYREF

  ImageSize = 8;
  GlobalImagePtr += 8i64;
  result = (unsigned __int8 *)AllocateZeroPool(4ui64);
  v9 = result;
  if ( result )
  {
    ImagePtrCursor = GlobalImagePtr;
    do
    {
      v3 = result;
      v4 = 4i64;
      do
      {
        *v3 = v3[ImagePtrCursor - (_QWORD)result];
        ++v3;
        --v4;
      }
      while ( v4 );
      v5 = ImagePtrCursor + 4;
      v6 = result;
      v7 = 4i64;
      // BRLY-LOGOFAIL-2023-014: Chunk length is added without validation to ImagePtrCursor
      Length = result[3] + ((result[2] + ((result[1] + (*result << 8)) << 8)) << 8);
      do
      {
        *v6 = v6[v5 - (_QWORD)result];
        ++v6;
        --v7;
      }
      while ( v7 );
      ImageSize += Length + 12;
      ImagePtrCursor = Length + 8i64 + v5;
    }
    while ( result[3] + ((result[2] + ((result[1] + (*result << 8)) << 8)) << 8) != 1229278788 );
    GlobalImagePtr = ImagePtrCursor;
    sub_4654(&v9);
    return (unsigned __int8 *)ImageSize;
  }
  return result;
}

As we can see from the pseudocode, the variable Length is initialized from a value ( result) which is read directly from the image buffer. Length is then used to update the ImagePtrCursor variable pointer without any validation.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity Date (YYYY-mm-dd)
Lenovo PSIRT is notified 2023-06-21
Lenovo ID (LEN-132940) is assigned 2023-06-22
CERT/CC is notified 2023-07-10
AMI PSIRT confirmed reported issues 2023-10-05
AMI PSIRT assigned CVE ID 2023-12-01
BINARLY public disclosure date 2024-06-19

Acknowledgements

Binarly REsearch Team

Tags
Vulnerability
supply chain
FWHunt
See if you are impacted now with our Firmware Vulnerability Scanner