Header bannerHeader banner
Advisory ID:
BRLY-LOGOFAIL-2023-028

[BRLY-LOGOFAIL-2023-028] Memory Corruption vulnerability in DXE driver

June 20, 2024
Severity:
High
CVSS Score
8.2
Public Disclosure Date:
June 19, 2024
CVE ID:
CVE-2023-5058

Summary

BINARLY efiXplorer team has discovered an OOB Write vulnerability in the decode routine during GIF file processing in Phoenix firmware.

Vendors Affected

Affected Products

Yoga Slim 7 Pro
,

Potential Impact

An attacker with local access can exploit this vulnerability to elevate privileges from ring 3 or ring 0 (depends on the operating system) to a DXE driver and execute arbitrary code. Malicious code installed as a result of this exploitation could survive operating system (OS) boot process and runtime, or modify NVRAM area on the SPI flash storage (to gain persistence). Additionally, threat actors could use this vulnerability to bypass OS security mechanisms (modify privileged memory or runtime variables), influence OS boot process, and in some cases allow an attacker to hook or modify EFI Runtime services.

Summary

BINARLY efiXplorer team has discovered an OOB Write vulnerability in the decode routine during GIF file processing in Phoenix firmware.

Vulnerability Information

     
  • BINARLY internal vulnerability identifier: BRLY-LOGOFAIL-2023-028  
  • Phoenix PSIRT assigned CVE identifier: CVE-2023-5058  
  • CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected modules with confirmed impact by Binarly team

Module name Module GUID Module SHA256
SystemImageDecoderDxe 5F65D21A-8867-45D3-A41A-526F9FE2C598 86E6C85A8FF7C1DB8FF7292521223C546DD4F40F5168F7DA3134916BF52DA81D

Potential impact

An attacker with local access can exploit this vulnerability to elevate privileges from ring 3 or ring 0 (depending on the operating system) to a DXE driver and execute arbitrary code. Malicious code installed as a result of this exploitation could survive operating system (OS) boot process and runtime, or modify NVRAM area on the SPI flash storage (to gain persistence). Additionally, threat actors could use this vulnerability to bypass OS security mechanisms (modify privileged memory or runtime variables), influence OS boot process, and in some cases allow an attacker to hook or modify EFI Runtime services.

Vulnerability description

The pseudocode of the vulnerable function is shown below:

INT32 __fastcall DecodeLzwBytes(BUFFER_INDICATOR *Bi, BOOLEAN flag, INT32 CodeSize)
{
  int i; // eax
  int *ptr; // rcx MAPDST
  INT32 result; // eax
  int Code; // er8
  int v9; // er9
  __int64 v10; // r10
  int v11; // er14
  int v12; // er11
  int *v13; // rdx
  int v14; // ecx
  _DWORD *v15; // rdx
  int v16; // eax
  INT32 v17; // eax
  int v18; // eax
  int *v19; // rcx
  _DWORD *v20; // rax
  UINT8 Buffer[272]; // [rsp+20h] [rbp-118h]

  if ( flag )
  {
    set_code_size = CodeSize;
    code_size = CodeSize + 1;
    curbit = 0;
    clear_code = 1 << CodeSize;                 // Root Cause: OOB index.
    lastbit = 0;                                // Firstly, there is INT32 table [2][(1<< MAX_LZW_BITS)], where MAX_LZW_BITS is 12.
    done = 0;                                   // Hence, table [2][4096] is allocated.
    fresh = 1;                                  // CodeSize isn't validated to be between 0 to MAX_LZW_BITS range.
    end_code = (1 << CodeSize) + 1;             // In this case CodeSize determines an index value, which is used to navigate across the table.
    max_code_size = 2 * (1 << CodeSize);        // Secondly, CodeSize influences on size of data returned by GetCode().
    max_code = (1 << CodeSize) + 2;             // In this case the data is used to navigate across the table.
    i = 0;
    if ( 1 << CodeSize > 0 )
    {
      ptr = &table_second_raw;
      do
      {
        *ptr = i++;                             // CRASH location: OOB write
        *(ptr - 4096) = 0;
        ++ptr;
      }
      while ( i < 1 << CodeSize );
    }
    if ( i < 0x1000i64 )
    {
      ptr = (int *)((char *)&table_first_raw + 4 * i);
      do
      {
        table_second_raw = 0;
        *ptr = 0;
        ++ptr;
      }
      while ( (__int64)ptr < (__int64)&table_second_raw );
    }
    result = 0;
    sp_ = (__int64)stack;
    return result;
  }
  if ( fresh )
  {
    fresh = 0;
    do
    {
      result = GetCode(Bi, code_size, 0);
      oldcode = result;
      firstcode = result;
    }
    while ( result == clear_code );
    return result;
  }
  if ( sp_ > (unsigned __int64)stack )
  {
    sp_ -= 4i64;
    return *(_DWORD *)sp_;
  }
  Code = GetCode(Bi, code_size, 0);
  if ( Code < 0 )
    return Code;
  while ( 2 )
  {
    v9 = clear_code;
    if ( Code == clear_code )
    {
      v18 = 0;
      if ( clear_code > 0 )
      {
        v19 = &table_second_raw;
        do
        {
          *v19 = v18++;
          *(v19 - 4096) = 0;
          ++v19;
        }
        while ( v18 < v9 );
      }
      if ( v18 < 4096i64 )
      {
        v20 = (_DWORD *)((char *)&table_first_raw + 4 * v18);
        do
        {
          v20[4096] = 0;
          *v20 = 0;
          ++v20;
        }
        while ( (__int64)v20 < (__int64)&table_second_raw );
      }
      max_code_size = 2 * v9;
      code_size = set_code_size + 1;
      max_code = v9 + 2;
      sp_ = (__int64)stack;
      result = GetCode(Bi, set_code_size + 1, 0);
      oldcode = result;
      firstcode = result;
    }
    else
    {
      if ( Code != end_code )
      {
        v10 = max_code;
        v11 = Code;
        v12 = oldcode;
        v13 = (int *)sp_;
        if ( Code >= max_code )
        {
          Code = oldcode;
          *(_DWORD *)sp_ = firstcode;
          ++v13;
        }
        while ( Code >= v9 )
        {
          *v13 = *((_DWORD *)&table_first_raw + Code + 0x1000);
          ++v13;
          sp_ = (__int64)v13;
          if ( Code == *((_DWORD *)&table_first_raw + Code) )
            return -3;
          Code = *((_DWORD *)&table_first_raw + Code);
        }
        v14 = *((_DWORD *)&table_first_raw + Code + 0x1000);
        *v13 = v14;
        v15 = v13 + 1;
        firstcode = v14;
        sp_ = (__int64)v15;
        if ( (int)v10 >= 0x1000
          || (v16 = max_code_size,
              *((_DWORD *)&table_first_raw + v10) = v12,
              *((_DWORD *)&table_first_raw + v10 + 0x1000) = v14,
              max_code = v10 + 1,
              (int)v10 + 1 < v16)
          || v16 >= 0x1000 )
        {
          v17 = code_size;
        }
        else
        {
          max_code_size = 2 * v16;
          v17 = ++code_size;
        }
        oldcode = v11;
        if ( v15 > stack )
        {
          sp_ = (__int64)(v15 - 1);
          return *(v15 - 1);
        }
        Code = GetCode(Bi, v17, 0);
        if ( Code >= 0 )
          continue;
        return Code;
      }
      if ( !gZeroDataBlock )
      {
        while ( GetDataBlock(Bi, Buffer) > 0 )
          ;
      }
      result = -2;
    }
    break;
  }
  return result;
}

As we can see from the pseudocode, CodeSize isn’t properly validated to be between 0 and MAX_LZW_BITS, resulting in an OOB write vulnerability.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity Date (YYYY-mm-dd)
Lenovo PSIRT is notified 2023-06-21
Lenovo ID (LEN-132940) is assigned 2023-06-22
CERT/CC is notified 2023-07-10
Phoenix PSIRT confirmed reported issues 2023-09-10
Phoenix PSIRT assigned CVE ID 2023-11-27
Phoenix advisory release date 2023-12-06
BINARLY public disclosure date 2024-06-19

Acknowledgements

BINARLY efiXplorer team

Tags
Vulnerability
supply chain
FWHunt
See if you are impacted now with our Firmware Vulnerability Scanner