[BRLY-2023-018] Multiple vulnerabilities in image parsing functions can be exploited by an attacker with local access.

Summary

Intel firmware allows end-users to customize the logo shown on the display of a device during boot. BINARLY REsearch team has uncovered multiple critical vulnerabilities in the libraries used to parse image data formats and thus logos.This vulnerability poses a high-severity risk as it introduces an unexplored attack surface that can be exploited by malicious actors with administrative access to a device.Our analysis over a dataset of Intel firmware identified 42 unique Intel products affected by this issue, including devices running firmware developed by American Megatrends.Given the systemic industry-wise scope of this vulnerability we will refer to it as LogoFAIL.

Vulnerability Information

• BINARLY internal vulnerability identifier: BRLY-2023-018
• AMI PSIRT assigned CVE identifier: CVE-2023-39539
• CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Intel firmware with confirmed impact by Binarly REsearch Team

Vulnerability Summary

An attacker can exploit this vulnerability by flashing firmware containing a maliciously-crafted logo image and restarting the system under attackDuring the boot process, logo images are parsed and transformed into an intermediate format before they are displayed.On devices vulnerable to LogoFAIL, attackers can supply custom logos and thus exploit any vulnerabilities in the image parser.This allows attackers to divert the execution flow during boot and execute arbitrary code.LogoFAIL can be exploited by attackers with administrative privileges, and it's not stopped by modern firmware defenses (e.g., BIOS Guard, Boot Guard, Secure Boot).

In the following sections, we will show how attackers can flash firmware with arbitrary logo images on Intel devices.We then explore how image parsers are used during the boot process, and how we tested their security.Finally, we showcase a bug related to an heap out-of-bounds write due to integer overflow.

Vulnerability description (AMI firmware)

How logos can be customized

In AMI-based Intel firmware, logos can be flashed on a device simply by using Aptio V Integrator Tools released by Intel.In particular, iCHLogo can be used to replace the logo image stored in a capsule update with an attacker-controlled logo:

user@binarly~$ iChLogoLnx64 /i BC0079.CAP /o LOGOFAIL.CAP /r exploit.png

+--------------------------------------------------------------------------+
|                        iChLogo 5.15.0044                                 |
|              Copyright (c) 2021 AMI. All rights reserved.                |
+--------------------------------------------------------------------------+

Replaced existing logo with /home/user/exploit.png.
New image [LOGOFAIL.CAP] created successfully!

The resulting malicious capsule update LOGOFAIL.CAP can then be flashed with iFlashV:

user@binary:$ sudo ./iFlashVLnx64 LOGOFAIL.CAP /k1
[sudo] password for user:

| Intel Firmware Update Utility v5.13.00.2104
| Copyright Cc) 2023 AMI. All rights reserved.

Reading flash ...................... Done
- System Secure Flash .............. Enabled
- FFS Checksums .................... Pass
Erasing NCB Block .................. Done
Updating NCB Block ................. Done
Verifying NCB Block ................ Done

Process completed.

(Vulnerable) Image Parsing Protocols

During our analysis of Intel NUC M15 firmware, we discovered that the AMITSE module contains the functions implementing the parsing libraries for BMP, JPEG and PNG.

The entrypoint of the parsing logic is in function sub_BD6C, which we renamed ParseImage in the following snippet.This function locates the EfiGraphicsOutputProtocol, which is used to find the horizontal and vertical resolution of the screen of the device.It then calls ParseBMP if the first two bytes of LogoData are 'B' and 'M' respectively.Otherwise the execution continues in ParseOthers, where similar checks on LogoData are used to identify JPEG and PNG images and to dispatch the execution to the proper image parser.

__int64 __fastcall ParseImage(
        _BYTE *LogoData,
        __int64 LogoSize_1,
        int a3,
        __int64 a4,
        __int64 a5,
        char a6,
        unsigned __int64 *Vertical,
        unsigned __int64 *Horizontal)
{
  unsigned __int64 *Width; // rsi
  unsigned __int64 *Height; // rbx
  __int64 result; // rax
  __int64 LogoSize; // rdx
  unsigned __int64 v15; // rdi
  unsigned __int64 DecodedSize[2]; // [rsp+40h] [rbp-10h] BYREF
  void *DecodedLogo; // [rsp+78h] [rbp+28h] BYREF

  Width = Vertical;
  Height = Horizontal;
  DecodedSize[0] = 0i64;
  DecodedLogo = 0i64;
  *Vertical = 0i64;
  *Height = 0i64;
  sub_75F8();
  if ( !gEfiGraphicsOutputProtocol )
    return 0x8000000000000003ui64;
  result = GetResolution(&Horizontal, &Vertical);
  if ( result >= 0 )
  {
    result = *LogoData == 'B' && LogoData[1] == 'M'
           ? ParseBMP(LogoData, LogoSize, &DecodedLogo, DecodedSize, Height, Width)
           : ParseOthers(LogoData, LogoSize, &DecodedLogo, DecodedSize, Height, Width);
    v15 = *Width;
    if ( result >= 0 )
    {
      if ( a6 && (v15 > Horizontal || *Height > Vertical) )
      {
        sub_BD3C(Width, Height);
        if ( gEfiGraphicsOutputProtocol )
          GetResolution(&Horizontal, &Vertical);
      }
      sub_C014(DecodedLogo, a3, *Width, *Height, a4, a5, v15);
      MemFreePointer(&DecodedLogo);
      return 0i64;
    }
  }
  return result;
}

Finding Crashes in Image Parsers

To evaluate the robustness of the previously mentioned image parsers, we tested each of them with fuzz testing techniques.This resulted in the discovery of multiple crashes in all tested parsers.These crashes cover a wide range of issues, from less severe out-of-bounds reads to more critical out-of-bounds arbitrary writes where the attacker controls both the target memory address and the written content.In the next sections we summarize the crashes we found during this security evaluation.

Summary of Crashes

The following table summarizes the crashes that we found during the analysis of Intel NUC M15 firmware.

Our analysis identified the crashing input related to BRLY-LOGOFAIL-2023-015 as possibly the most serious crashing input, as it is related to an heap out-of-bounds write due to an integer overflow.After flashing firmware containing the crafted PNG image we just described, the device effectively enters a bricked state.As another proof of the severity the LogoFAIL, we found that the only solution to "unbrick" the device is to physically reflash the device.We also followed the official Intel recommendation "How to Recover Intel® NUC BIOS", but it didn't work.

Preliminarly list of affected Intel devices

To evaluate the impact of our LogoFAIL, we explored an internal dataset of Intel firmware.For the firmware images listed in the following table, iChLogo can be used to replace the image stored in the firmware, and thus these devices are likely vulnerable to LogoFAIL.

How to fix it

The easiest way to fix this issue is to disable the support for customized logos.On the longer term, we recommended to support only BMP files and use well-tested BMP parsers to handle images.In case Intel wants to support multiple image file formats then we recommend to thoroughly test any image parsers before including them in Intel firmware.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Acknowledgements

Binarly REsearch Team