An attacker with local access can exploit this vulnerability to elevate privileges from ring 3 or ring 0 (depends on the operating system) to a DXE driver and execute arbitrary code. Malicious code installed as a result of this exploitation could survive operating system (OS) boot process and runtime, or modify NVRAM area on the SPI flash storage (to gain persistence). Additionally, threat actors could use this vulnerability to bypass OS security mechanisms (modify privileged memory or runtime variables), influence OS boot process, and in some cases allow an attacker to hook or modify EFI Runtime services.
Binarly REsearch Team has discovered a lack of validation on output buffer leads to OOB Write operations during GIF file processing in AMI firmware.
An attacker with local access can exploit this vulnerability to elevate privileges from ring 3 or ring 0 (depending on the operating system) to a DXE driver and execute arbitrary code. Malicious code installed as a result of this exploitation could survive operating system (OS) boot process and runtime, or modify NVRAM area on the SPI flash storage (to gain persistence). Additionally, threat actors could use this vulnerability to bypass OS security mechanisms (modify privileged memory or runtime variables), influence OS boot process, and in some cases allow an attacker to hook or modify EFI Runtime services.
The pseudocode of the vulnerable function is shown below:
__int64 __fastcall EmitPixel(unsigned __int8 PixelValue)
{
int v1; // r9d
__int64 v2; // rdx
__int64 v3; // rcx
_BYTE *v4; // r8
unsigned int v5; // r9d
unsigned int v6; // ecx
__int64 result; // rax
unsigned int v8; // r9d
v1 = Mult;
if ( PixelValue != dword_7FC20 )
{
v2 = PixelValue;
v3 = GIFColorMap;
// BRLY-LOGOFAIL-2023-023
v4 = (Buffer + (4 * Mult));
*v4 = *(GIFColorMap + 4 * v2);
v4[1] = *(v3 + 4 * v2 + 1);
v4[2] = *(v3 + 4 * v2 + 2);
v4[3] = 0;
}
v5 = v1 + 1;
Mult = v5;
if ( ++dword_8CB80 > dword_94FF8 )
{
dword_8CB80 = dword_95480;
if ( dword_94FE0 )
{
v6 = *(&dword_86C48 + &_ImageBase[2 * dword_95000]) + dword_8CB84;
dword_8CB84 = v6;
if ( v6 <= dword_94FEC )
{
LABEL_9:
v5 = dword_95480 + dword_94BB0 + dword_7FC24 * (v6 + dword_95470);
Mult = v5;
goto LABEL_10;
}
v6 = dword_94FE4 + *(&dword_86C30 + &_ImageBase[2 * ++dword_95000]);
}
else
{
v6 = dword_8CB84 + 1;
}
dword_8CB84 = v6;
goto LABEL_9;
}
LABEL_10:
result = dword_94BC8;
v8 = HIWORD(v5);
if ( dword_94BC8 != v8 )
result = v8;
dword_94BC8 = result;
return result;
}
As we can see from the pseudocode, the global variable Buffer
is a buffer allocated for storing decoded GIF pixels. However this Buffer
is used without any bounds checking, thus allowing the attacker to trigger a heap overflow when fp
is used to write a pixel colors.
This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
Binarly REsearch Team