[BRLY-2022-015] The arbitrary code execution in DXE driver.

August 10, 2022

Summary

BINARLY efiXplorer team has discovered the ability of arbitrary code execution in DXE driver.

Vulnerability Information

BINARLY internal vulnerability identifier: BRLY-2022-015
Intel PSIRT assigned CVE identifier: CVE-2022-34345
AMI PSIRT assigned CVE identifier: CVE-2022-2154
CERT/CC assigned case number: VU#158026
FwHunt rule: BRLY-2022-015
CVSS v3.1: 7.2 High AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Intel firmwares with confirmed impact by Binarly team

Device/Firmware	File Name	SHA256 (File PE32 section)	File GUID
Intel NUC M15 BCTGL357 v0072 (Latest)	AMITSE	288769fcb374d9280735e259c579e2dc209491f4da43b085d6aabc2d6e6ee57d	b1da0adf-4f77-4070-a88e-bffe1c60529a
Intel NUC M15 BCTGL357 v0072 (Latest)	-	6a2e79de518eb92408ed6c21421b4119da50c2ad31ff7adbb26155c7a335c26d	a2df5376-c2ed-49c0-90ff-8b173b0fd066

Potential impact

An attacker with physical access can exploit this vulnerability to execute arbitrary code during DXE phase. A malicious code installed as a result of vulnerability exploitation in DXE driver could survive across an operating system (OS) boot process and runtime.

Vulnerability description

Consider the vulnerability on the example of the AMITSE driver (file GUID: b1da0adf-4f77-4070-a88e-bffe1c60529a).

The pseudocode for vulnerable function is shown below (function address: 0x16520).

__int64 sub_16520()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  GetPackageListHandle = gEsaVarPtr01;
  Arg2 = 0;
  Guid[0] = 0x70E1A818;
  Guid[1] = 0x44490BE1;
  Guid[2] = 0xF69ED4BF;
  Guid[3] = 0xA8027F8C;
  VendorGuid.Data1 = 0xA2DF5376;
  *&VendorGuid.Data2 = 0x49C0C2ED;
  *VendorGuid.Data4 = 0x178BFF90;
  *&VendorGuid.Data4[4] = 0x66D00F3B;
  if ( gEsaVarPtr01
    || (DataSize = 8,
        gRT->GetVariable(L"EsaVarPtr01", &VendorGuid, 0, &DataSize, &gEsaVarPtr01),
        (GetPackageListHandle = gEsaVarPtr01) != 0) )
  {
    Handle = GetPackageListHandle(Guid, &Arg2);
  }
  else
  {
    Handle = -1;
  }
  if ( Handle != -1 )
    return gEfiHiiDatabaseProtocol->RemovePackageList(gEfiHiiDatabaseProtocol, Handle);
  return Handle;
}

As we can see from the pseudocode, the address of GetPackageListHandle function located in the NVRAM variable EsaVarPtr01. Thus, a potential attacker can create the NVRAM variable EsaVarPtr01 and specify the address of the GetPackageListHandle function inside the data of the variable EsaVarPtr01. Thus, an attacker can execute arbitrary code during DXE phase.

It should be noted that the value of the variable EsaVarPtr01 cannot be set at runtime, but it can be set by physically modifying the SPI flash memory.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity	Date
Intel PSIRT is notified	2022-05-04
Intel PSIRT confirmed reported issue	2022-07-28
Intel PSIRT assigned CVE number	2022-07-28
BINARLY public disclosure date	2022-08-10

Acknowledgements

BINARLY efiXplorer team

Back to overview

Binarly Advisories

REsearch