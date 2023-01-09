[BRLY-2022-036] The stack memory leak vulnerability in DXE driver.
Summary
BINARLY efiXplorer team has discovered a stack memory leak vulnerability that allows a potencial attacker to write stack memory to NVRAM variable.
Vulnerability Information
- BINARLY internal vulnerability identifier: BRLY-2022-036
- Qualcomm PSIRT assigned CVE identifier: CVE-2022-40519
- CVSS v3.1 Score 6.0 Medium AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Affected Lenovo firmwares with confirmed impact by Binarly team
|Fimware
|Module name
|Module SHA256
|File GUID
|
N3HET74W/$0AN3H00.FL1
|QcomBds
|322526e3ede8a040c80e59f4384bd3965b5cb19cd20636b5a189213a807b9bd0
|5A50AA81-C3AE-4608-A0E3-41A2E69BAF94
Potential impact
An attacker with local privileged access can exploit this vulnerability to read the contents of the stack and use this information to exploit other vulnerabilities in DXE. A malicious code installed as a result of the vulnerability exploitation in a DXE driver could survive across an operating system (OS) boot process and runtime or modify NVRAM area on SPI flash storage (to gain persistence on target platform). Additionally, this vulnerability potentially could be used by threat actors to bypass OS security mechanisms (modify privileged memory or runtime variables), influence on the OS boot process, and in some cases would allow an attacker to hook or modify EFI Runtime services.
Vulnerability description
The vulnerable functions is a part of protocol with GUID
d874d61a-4b87-7608-a00f-58add7052530.
The pseudocode of the vulnerable function is shown below:
__int64 sub_192A0()
{
EFI_GET_VARIABLE GetVariable;
int ResValue;
EFI_SET_VARIABLE SetVariable;
int RunCyclesValue;
__int64 DataSize;
RunCyclesValue = 0;
CheckHwErrRecSupport();
DataSize = 4;
if ( (gRT->GetVariable)(L"MTC", &gVariableGuid, 0, &DataSize, &gMtcValue) )
gMtcValue = 0;
GetVariable = gRT->GetVariable;
DataSize = 4;
if ( (GetVariable)(L"RunCycles", &gVariableGuid, 0, &DataSize, &RunCyclesValue) == EFI_NOT_FOUND )
{
ResValue = 1;
RunCyclesValue = 0;
}
else
{
ResValue = RunCyclesValue + 1;
}
SetVariable = gRT->SetVariable;
RunCyclesValue = ResValue;
(SetVariable)(L"RunCycles", &gVariableGuid, 7, DataSize, &RunCyclesValue);
DataSize = 4;
return (gRT->GetVariable)(L"RunCycles", &gVariableGuid, 0, &DataSize, &RunCyclesValue);
}
As we can see from the pseudocode, for the
RunCycles variable
gRT->SetVariable() service is called with the
DataSize value, which can be overwritten inside the
gRT->GetVariable() service.
Thus, a potential attacker can write
X - 4 bytes from the stack to NVRAM if writes any buffer of length
X > 4 to the
RunCycles NVRAM variable.
In order to fix this vulnerability, the
DataSize variable must be initialized before
gRT->SetVariable().
Disclosure timeline
This vulnerability is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the vulnerability report will become visible to the public.
|Disclosure Activity
|Date (YYYY-mm-dd)
|Qualcomm PSIRT is notified
|2022-10-21
|Qualcomm PSIRT confirmed reported issue
|2022-10-30
|Qualcomm PSIRT assigned CVE number
|2022-12-19
|Qualcomm PSIRT provide patch release
|2023-01-03
|BINARLY public disclosure date
|2023-01-09
Acknowledgements
BINARLY efiXplorer team