BRLY-2022-033 | Firmware Advisory | BINARLY Lab Discovery

Summary

BINARLY efiXplorer team has discovered a stack buffer overflow vulnerability that allows an attacker to execute arbitrary code.

Vulnerability Information

BINARLY internal vulnerability identifier: BRLY-2022-033
Qualcomm PSIRT assigned CVE identifier: CVE-2022-40520
CVSS v3.1 Score 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Lenovo firmwares with confirmed impact by Binarly team

Fimware	Module name	Module SHA256	File GUID
`N3HET74W/$0AN3H00.FL1`	UsbConfigDxe	2184d4057ad439fa236c23d0f325fe91781c2c22b8ac67c8ebafe65a176e0298	cd823a4d-7dec-4531-ae5d-4134fa4127b8

Potential impact

An attacker with local privileged access can exploit this vulnerability to elevate privileges from ring 3 or ring 0 (depends on the operating system) to a DXE Runtime UEFI application and execute arbitrary code.A malicious code installed as a result of the vulnerability exploitation in a DXE driver could survive across an operating system (OS) boot process and runtime or modify NVRAM area on SPI flash storage (to gain persistence on target platform).Additionally, this vulnerability potentially could be used by threat actors to bypass OS security mechanisms (modify privileged memory or runtime variables), influence on the OS boot process, and in some cases would allow an attacker to hook or modify EFI Runtime services.

Vulnerability description

The pseudocode of the vulnerable function is shown below:

__int64 sub_66E8()
{
  // ...

  __int64 DataSize;
  unsigned __int8 Value;
  int v31;
  __int64 v32;
  unsigned int v33;
  __int64 result;

  result = 0;
  v33 = 1;
  v32 = 32;
  v31 = 32;
  DataSize = 1;
  result = gRT->GetVariable(L"UsbConfigPrimaryPort", &gVariableGuid, 0, &DataSize, &Value);
  if ( result >= 0 )
    LODWORD(v32) = sub_6528(Value);
  else
    LODWORD(v32) = 32;
  result = gRT->GetVariable(L"UsbConfigSecondaryPort", &gVariableGuid, 0, &DataSize, &Value);

  // ...
}

As we can see from the pseudocode, DataSize is initialized only once (before the first call to gRT->GetVariable()).

Thus, if the data size of the variable in NVRAM is greater than 1, DataSize will be overwritten. Thus, the next call to gRT-GetVariable() may cause an overflow on the stack (and subsequent execution of arbitrary code).

In order to fix this vulnerability, the DataSize variable must be (re)initialized before each call to gRT->GetVariable():

  // ...

  DataSize = 1;
  result = gRT->GetVariable(L"UsbConfigPrimaryPort", &gVariableGuid, 0, &DataSize, &Value);
  if ( result >= 0 )
    LODWORD(v32) = sub_6528(Value);
  else
    LODWORD(v32) = 32;

  DataSize = 1; // <--- added
  result = gRT->GetVariable(L"UsbConfigSecondaryPort", &gVariableGuid, 0, &DataSize, &Value);

  // ...

Disclosure timeline

This vulnerability is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the vulnerability report will become visible to the public.

Disclosure Activity	Date (YYYY-mm-dd)
Qualcomm PSIRT is notified	2022-10-21
Qualcomm PSIRT confirmed reported issue	2022-10-31
Qualcomm PSIRT assigned CVE number	2022-12-19
Qualcomm PSIRT provide patch release	2023-01-03
BINARLY public disclosure date	2023-01-09

Acknowledgements

BINARLY efiXplorer team