An attacker with local access can exploit this vulnerability to elevate privileges from ring 3 or ring 0 (depends on the operating system) to a DXE driver and execute arbitrary code. Malicious code installed as a result of this exploitation could survive operating system (OS) boot process and runtime, or modify NVRAM area on the SPI flash storage (to gain persistence). Additionally, threat actors could use this vulnerability to bypass OS security mechanisms (modify privileged memory or runtime variables), influence OS boot process, and in some cases allow an attacker to hook or modify EFI Runtime services.
Binarly REsearch Team has discovered a lack of array index validation leading to OOB Write operations on global data during JPEG file processing in AMI firmware.
An attacker with local access can exploit this vulnerability to elevate privileges from ring 3 or ring 0 (depending on the operating system) to a DXE driver and execute arbitrary code. Malicious code installed as a result of this exploitation could survive operating system (OS) boot process and runtime, or modify NVRAM area on the SPI flash storage (to gain persistence). Additionally, threat actors could use this vulnerability to bypass OS security mechanisms (modify privileged memory or runtime variables), influence OS boot process, and in some cases allow an attacker to hook or modify EFI Runtime services.
The pseudocode of the vulnerable function is shown below:
__int64 __fastcall CreateHuffmanTable(WORD *a1, BYTE *a2)
{
int v2; // ebx
WORD v3; // r10
__int64 index; // r8
BYTE *v5; // rdx
unsigned __int8 v6; // r11
BYTE *v7; // rdi
int v8; // r9d
__int64 index_plus_1; // r8
WORD v10; // ax
__int64 result; // rax
v2 = 0;
v3 = 0;
index = 0i64;
v5 = a2 + 1;
v6 = 1;
v7 = v5;
do
{
v8 = *v5;
if ( *v5 )
{
v2 += v8 + 2 * v8;
do
{
// BRLY-LOGOFAIL-2023-020: index is not checked and can lead to OOB write to the statically-allocated global buffer pointer by a1
a1[index] = v6;
--v8;
index_plus_1 = index + 1;
a1[index_plus_1++] = v3;
v10 = v7[16];
++v3;
++v7;
a1[index_plus_1] = v10;
index = index_plus_1 + 1;
}
while ( v8 > 0 );
}
v3 *= 2;
++v5;
++v6;
}
while ( v6 <= 0x10u );
result = v2;
a1[v2] = 17;
return result;
}
As we can see from the pseudocode, the index
variable is used to access the array pointed by a1
without any bounds checking. The attacker indirectly controls index
since it is incremented on every iteration of the loop depending on v8
which is read directly from the attacker controlled image. Since this function receives a statically allocated array:
...
v15 = &unk_96580;
result = CreateHuffmanTable(v15, *v13);
...
the attacker can write after the end of this array and corrupt other global data.
This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
Binarly REsearch Team