Header bannerHeader banner
Advisory ID:
BRLY-LOGOFAIL-2023-029

[BRLY-LOGOFAIL-2023-029] Memory contents leak / information disclosure vulnerability in DXE driver

June 20, 2024
Severity:
Low
CVSS Score
3.2
Public Disclosure Date:
June 19, 2024
CVE ID:
CVE-2023-5058

Summary

BINARLY efiXplorer team has discovered an OOB Read vulnerability in the decode routine during GIF file processing in Phoenix firmware.

Vendors Affected

Affected Products

Yoga Slim 7 Pro
,

Potential Impact

An attacker with local privileged access can exploit this vulnerability to read the contents of the physical memory and use this information to exploit other vulnerabilities in DXE. A malicious code installed as a result of the vulnerability exploitation in a DXE driver could survive across an operating system (OS) boot process and runtime or modify NVRAM area on SPI flash storage (to gain persistence on target platform). Additionally, this vulnerability potentially could be used by threat actors to bypass OS security mechanisms (modify privileged memory or runtime variables), influence on the OS boot process, and in some cases would allow an attacker to hook or modify EFI Runtime services.

Summary

BINARLY efiXplorer team has discovered an OOB Read vulnerability in the decode routine during GIF file processing in Phoenix firmware.

Vulnerability Information

     
  • BINARLY internal vulnerability identifier: BRLY-LOGOFAIL-2023-029  
  • Phoenix PSIRT assigned CVE identifier: CVE-2023-5058  
  • CVSS v3.1: 3.2 Low AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

Affected modules with confirmed impact by Binarly team

Module name Module GUID Module SHA256
SystemImageDecoderDxe 5F65D21A-8867-45D3-A41A-526F9FE2C598 86E6C85A8FF7C1DB8FF7292521223C546DD4F40F5168F7DA3134916BF52DA81D

Potential impact

An attacker with local privileged access can exploit this vulnerability to read the contents of the physical memory and use this information to exploit other vulnerabilities in DXE. A malicious code installed as a result of the vulnerability exploitation in a DXE driver could survive across an operating system (OS) boot process and runtime or modify NVRAM area on SPI flash storage (to gain persistence on target platform). Additionally, this vulnerability potentially could be used by threat actors to bypass OS security mechanisms (modify privileged memory or runtime variables), influence on the OS boot process, and in some cases would allow an attacker to hook or modify EFI Runtime services.

Vulnerability description

The pseudocode of the vulnerable function is shown below:

INT32 __fastcall DecodeLzwBytes(BUFFER_INDICATOR *Bi, BOOLEAN flag, INT32 CodeSize)
{
  int i; // eax
  int *ptr; // rcx MAPDST
  INT32 result; // eax
  int Code; // er8
  int v9; // er9
  __int64 v10; // r10
  int v11; // er14
  int v12; // er11
  int *v13; // rdx
  int v14; // ecx
  _DWORD *v15; // rdx
  int v16; // eax
  INT32 v17; // eax
  int v18; // eax
  int *v19; // rcx
  _DWORD *v20; // rax
  UINT8 Buffer[272]; // [rsp+20h] [rbp-118h]

  if ( flag )
  {
    set_code_size = CodeSize;
    code_size = CodeSize + 1;
    curbit = 0;
    clear_code = 1 << CodeSize;                 // Root Cause: OOB index.
    lastbit = 0;                                // Firstly, there is INT32 table [2][(1<< MAX_LZW_BITS)], where MAX_LZW_BITS is 12.
    done = 0;                                   // Hence, table [2][4096] is allocated.
    fresh = 1;                                  // CodeSize isn't validated to be between 0 to MAX_LZW_BITS range.
    end_code = (1 << CodeSize) + 1;             // In this case CodeSize determines an index value, which is used to navigate across the table.
    max_code_size = 2 * (1 << CodeSize);        // Secondly, CodeSize influences on size of data returned by GetCode().
    max_code = (1 << CodeSize) + 2;             // In this case the data is used to navigate across the table.
    i = 0;
    if ( 1 << CodeSize > 0 )
    {
      ptr = &table_second_raw;
      do
      {
        *ptr = i++;
        *(ptr - 4096) = 0;
        ++ptr;
      }
      while ( i < 1 << CodeSize );
    }
    if ( i < 0x1000i64 )
    {
      ptr = (int *)((char *)&table_first_raw + 4 * i);
      do
      {
        table_second_raw = 0;
        *ptr = 0;
        ++ptr;
      }
      while ( (__int64)ptr < (__int64)&table_second_raw );
    }
    result = 0;
    sp_ = (__int64)stack;
    return result;
  }
  if ( fresh )
  {
    fresh = 0;
    do
    {
      result = GetCode(Bi, code_size, 0);
      oldcode = result;
      firstcode = result;
    }
    while ( result == clear_code );
    return result;
  }
  if ( sp_ > (unsigned __int64)stack )
  {
    sp_ -= 4i64;
    return *(_DWORD *)sp_;
  }
  Code = GetCode(Bi, code_size, 0);
  if ( Code < 0 )
    return Code;
  while ( 2 )
  {
    v9 = clear_code;
    if ( Code == clear_code )
    {
      v18 = 0;
      if ( clear_code > 0 )
      {
        v19 = &table_second_raw;
        do
        {
          *v19 = v18++;
          *(v19 - 4096) = 0;
          ++v19;
        }
        while ( v18 < v9 );
      }
      if ( v18 < 4096i64 )
      {
        v20 = (_DWORD *)((char *)&table_first_raw + 4 * v18);
        do
        {
          v20[4096] = 0;
          *v20 = 0;
          ++v20;
        }
        while ( (__int64)v20 < (__int64)&table_second_raw );
      }
      max_code_size = 2 * v9;
      code_size = set_code_size + 1;
      max_code = v9 + 2;
      sp_ = (__int64)stack;
      result = GetCode(Bi, set_code_size + 1, 0);
      oldcode = result;
      firstcode = result;
    }
    else
    {
      if ( Code != end_code )
      {
        v10 = max_code;
        v11 = Code;
        v12 = oldcode;
        v13 = (int *)sp_;
        if ( Code >= max_code )
        {
          Code = oldcode;
          *(_DWORD *)sp_ = firstcode;
          ++v13;
        }
        while ( Code >= v9 )
        {
          *v13 = *((_DWORD *)&table_first_raw + Code + 0x1000);// CRASH location x2: OOB read
          ++v13;
          sp_ = (__int64)v13;
          if ( Code == *((_DWORD *)&table_first_raw + Code) )
            return -3;
          Code = *((_DWORD *)&table_first_raw + Code);
        }
        v14 = *((_DWORD *)&table_first_raw + Code + 0x1000);
        *v13 = v14;
        v15 = v13 + 1;
        firstcode = v14;
        sp_ = (__int64)v15;
        if ( (int)v10 >= 0x1000
          || (v16 = max_code_size,
              *((_DWORD *)&table_first_raw + v10) = v12,
              *((_DWORD *)&table_first_raw + v10 + 0x1000) = v14,
              max_code = v10 + 1,
              (int)v10 + 1 < v16)
          || v16 >= 0x1000 )
        {
          v17 = code_size;
        }
        else
        {
          max_code_size = 2 * v16;
          v17 = ++code_size;
        }
        oldcode = v11;
        if ( v15 > stack )
        {
          sp_ = (__int64)(v15 - 1);
          return *(v15 - 1);
        }
        Code = GetCode(Bi, v17, 0);
        if ( Code >= 0 )
          continue;
        return Code;
      }
      if ( !gZeroDataBlock )
      {
        while ( GetDataBlock(Bi, Buffer) > 0 )
          ;
      }
      result = -2;
    }
    break;
  }
  return result;
}

As we can see from the pseudocode, CodeSize isn’t properly validated to be between 0 and MAX_LZW_BITS, resulting in an OOB read vulnerability.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity Date (YYYY-mm-dd)
Lenovo PSIRT is notified 2023-06-21
Lenovo ID (LEN-132940) is assigned 2023-06-22
CERT/CC is notified 2023-07-10
Phoenix PSIRT confirmed reported issues 2023-09-10
Phoenix PSIRT assigned CVE ID 2023-11-27
Phoenix advisory release date 2023-12-06
BINARLY public disclosure date 2024-06-19

Acknowledgements

BINARLY efiXplorer team

Tags
Vulnerability
supply chain
FWHunt
See if you are impacted now with our Firmware Vulnerability Scanner