Binarly Advisories

REsearch

Binarly Advisories

[BRLY-2023-018] Multiple vulnerabilities in image parsing functions can be exploited by an attacker with local access.

Multiple vulnerabilities in image parsing functions can be exploited by an attacker with local access

Introduction

Intel firmware allows end-users to customize the logo shown on the display of a device during boot. BINARLY REsearch team has uncovered multiple critical vulnerabilities in the libraries used to parse image data formats and thus logos. This vulnerability poses a high-severity risk as it introduces an unexplored attack surface that can be exploited by malicious actors with administrative access to a device. Our analysis over a dataset of Intel firmware identified 42 unique Intel products affected by this issue, including devices running firmware developed by American Megatrends. Given the systemic industry-wise scope of this vulnerability we will refer to it as LogoFAIL.

Vulnerability Information

Affected Intel firmware with confirmed impact by Binarly team

IBV Device/Firmware Filename SHA256
AMI Intel NUC M15 BC0079.CAP f31bdf64a494f394aa1bd6cb82680e3257f8112e708b7ec3335291ab0dfea1ca

Vulnerability Summary

An attacker can exploit this vulnerability by flashing firmware containing a maliciously-crafted logo image and restarting the system under attack During the boot process, logo images are parsed and transformed into an intermediate format before they are displayed. On devices vulnerable to LogoFAIL, attackers can supply custom logos and thus exploit any vulnerabilities in the image parser. This allows attackers to divert the execution flow during boot and execute arbitrary code. LogoFAIL can be exploited by attackers with administrative privileges, and it's not stopped by modern firmware defenses (e.g., BIOS Guard, Boot Guard, Secure Boot).

In the following sections, we will show how attackers can flash firmware with arbitrary logo images on Intel devices. We then explore how image parsers are used during the boot process, and how we tested their security. Finally, we showcase a bug related to an heap out-of-bounds write due to integer overflow.

Vulnerability description (AMI firmware)

How logos can be customized

In AMI-based Intel firmware, logos can be flashed on a device simply by using Aptio V Integrator Tools released by Intel. In particular, iCHLogo can be used to replace the logo image stored in a capsule update with an attacker-controlled logo:

user@binarly~$ iChLogoLnx64 /i BC0079.CAP /o LOGOFAIL.CAP /r exploit.png

+--------------------------------------------------------------------------+
|                        iChLogo 5.15.0044                                 |
|              Copyright (c) 2021 AMI. All rights reserved.                |
+--------------------------------------------------------------------------+

Replaced existing logo with /home/user/exploit.png.
New image [LOGOFAIL.CAP] created successfully!

The resulting malicious capsule update LOGOFAIL.CAP can then be flashed with iFlashV:


user@binary:$ sudo ./iFlashVLnx64 LOGOFAIL.CAP /k1
[sudo] password for user:

| Intel Firmware Update Utility v5.13.00.2104
| Copyright Cc) 2023 AMI. All rights reserved.

Reading flash ...................... Done
- System Secure Flash .............. Enabled
- FFS Checksums .................... Pass
Erasing NCB Block .................. Done
Updating NCB Block ................. Done
Verifying NCB Block ................ Done

Process completed.

(Vulnerable) Image Parsing Protocols

During our analysis of Intel NUC M15 firmware, we discovered that the AMITSE module contains the functions implementing the parsing libraries for BMP, JPEG and PNG.

File Name File GUID SHA256
AMITSE B1DA0ADF-4F77-4070-A88E-BFFE1C60529A 1e9500b2263a012e77e41d92e896d35ff5f54fe7c0b09bee45de1eab09686097

The entrypoint of the parsing logic is in function sub_BD6C, which we renamed ParseImage in the following snippet. This function locates the EfiGraphicsOutputProtocol, which is used to find the horizontal and vertical resolution of the screen of the device. It then calls ParseBMP if the first two bytes of LogoData are 'B' and 'M' respectively. Otherwise the execution continues in ParseOthers, where similar checks on LogoData are used to identify JPEG and PNG images and to dispatch the execution to the proper image parser.

__int64 __fastcall ParseImage(
        _BYTE *LogoData,
        __int64 LogoSize_1,
        int a3,
        __int64 a4,
        __int64 a5,
        char a6,
        unsigned __int64 *Vertical,
        unsigned __int64 *Horizontal)
{
  unsigned __int64 *Width; // rsi
  unsigned __int64 *Height; // rbx
  __int64 result; // rax
  __int64 LogoSize; // rdx
  unsigned __int64 v15; // rdi
  unsigned __int64 DecodedSize[2]; // [rsp+40h] [rbp-10h] BYREF
  void *DecodedLogo; // [rsp+78h] [rbp+28h] BYREF

  Width = Vertical;
  Height = Horizontal;
  DecodedSize[0] = 0i64;
  DecodedLogo = 0i64;
  *Vertical = 0i64;
  *Height = 0i64;
  sub_75F8();
  if ( !gEfiGraphicsOutputProtocol )
    return 0x8000000000000003ui64;
  result = GetResolution(&Horizontal, &Vertical);
  if ( result >= 0 )
  {
    result = *LogoData == 'B' && LogoData[1] == 'M'
           ? ParseBMP(LogoData, LogoSize, &DecodedLogo, DecodedSize, Height, Width)
           : ParseOthers(LogoData, LogoSize, &DecodedLogo, DecodedSize, Height, Width);
    v15 = *Width;
    if ( result >= 0 )
    {
      if ( a6 && (v15 > Horizontal || *Height > Vertical) )
      {
        sub_BD3C(Width, Height);
        if ( gEfiGraphicsOutputProtocol )
          GetResolution(&Horizontal, &Vertical);
      }
      sub_C014(DecodedLogo, a3, *Width, *Height, a4, a5, v15);
      MemFreePointer(&DecodedLogo);
      return 0i64;
    }
  }
  return result;
}

Finding Crashes in Image Parsers

To evaluate the robustness of the previously mentioned image parsers, we tested each of them with fuzz testing techniques. This resulted in the discovery of multiple crashes in all tested parsers. These crashes cover a wide range of issues, from less severe out-of-bounds reads to more critical out-of-bounds arbitrary writes where the attacker controls both the target memory address and the written content. In the next sections we summarize the crashes we found during this security evaluation.

Summary of Crashes

The following table summarizes the crashes that we found during the analysis of Intel NUC M15 firmware.

Rule ID CVE Module Name Rule Description
BRLY-LOGOFAIL-2023-013 CVE-2023-39539 AMITSE Lack of BmpHeader->ImageOffset validation will lead to OOB Read during BMP file processing in AMI firmware
BRLY-LOGOFAIL-2023-014 CVE-2023-39539 AMITSE Lack of validation on chunk length will lead to OOB Read during PNG file processing in AMI firmware
BRLY-LOGOFAIL-2023-015 CVE-2023-39539 AMITSE Lack of validation on chunk length will lead to OOB Read during PNG file processing in AMI firmware
BRLY-LOGOFAIL-2023-016 CVE-2023-39539 AMITSE Integer overflow on memory allocation size (which depends on image height) leads to OOB Write operations during PNG file processing in AMI firmware
BRLY-LOGOFAIL-2023-017 CVE-2023-39539 AMITSE Unchecked array index leads to OOB Write operations while decoding Huffman tables during PNG file processing in AMI firmware
BRLY-LOGOFAIL-2023-018 CVE-2023-39539 AMITSE Integer overflow on memory allocation size (which depends on image width and height) leads to OOB Write operations during PNG file processing in AMI firmware
BRLY-LOGOFAIL-2023-019 CVE-2023-39539 AMITSE Integer overflow on memory allocation size (which depends on image width and height) leads to OOB Write operations during PNG file processing in AMI firmware
BRLY-LOGOFAIL-2023-020 CVE-2023-39539 AMITSE Lack of array index validation leads to OOB Write operations on global data during JPEG file processing in AMI firmware
BRLY-LOGOFAIL-2023-021 CVE-2023-39539 AMITSE Lack of validation on marker length leads to multiple OOB Read operations during JPEG file processing in AMI firmware
BRLY-LOGOFAIL-2023-022 CVE-2023-39539 AMITSE Lack of validation on number of Huffamn tables leads to OOB Write operations during JPEG file processing in AMI firmware

Our analysis identified the crashing input related to BRLY-LOGOFAIL-2023-015 as possibly the most serious crashing input, as it is related to an heap out-of-bounds write due to an integer overflow. After flashing firmware containing the crafted PNG image we just described, the device effectively enters a bricked state. As another proof of the severity the LogoFAIL, we found that the only solution to "unbrick" the device is to physically reflash the device. We also followed the official Intel recommendation "How to Recover Intel® NUC BIOS", but it didn't work.

Preliminarly list of affected Intel devices

To evaluate the impact of our LogoFAIL, we explored an internal dataset of Intel firmware. For the firmware images listed in the following table, iChLogo can be used to replace the image stored in the firmware, and thus these devices are likely vulnerable to LogoFAIL.

Firmware SHA256 Firmware Name VENDOR
0153cb7a6f406dad6050729992e6b59456347f74da59358d5cf3d6de9b66c58f BIOS Update [SBRPL790] https://downloadmirror.intel.com/779237/SBRPL790.0057.EBU.EXE
06292671e3c48951d3a1e9038eaba77aca395ea69c0da6d145dfc9604f183a7c BIOS Update for Intel® N https://downloadmirror.intel.com/763431/QC0158.CAP
070660c01c87d169c335ad3b1c197741fd3819c8af05f09ba98c9baf383348a1 BIOS Update [TNTGL357] https://downloadmirror.intel.com/779613/TNTGL357.0073.RECOVERY.zip
0737cf26ef44eba7fac49a8384ec626a8e6b2006d6618ebc6e03aed31277450b BIOS Update [IBRPL357] https://downloadmirror.intel.com/780599/IBRPL357.0023.UEFI.zip
0b50ebc1f011485c23af2c4ee6b246f79451d2d95fc53166a3e0b65a3144f00b BIOS Update for the Inte https://downloadmirror.intel.com/773810/RC0061.cap
19a7a90b9e4871fe5f07f4893469024d6daaa8dec461c198702236d378d99857 BIOS Update [EDADL579] https://downloadmirror.intel.com/782529/EDADL579.0059.UEFI.zip
1c46c273be5ec0feabbee6233683d7f8d6fb8b09d727758e187609dfb46b13b1 BIOS Update for the Inte https://downloadmirror.intel.com/780713/BC0079.CAP
388cd43e6007e7550c22eff47ca1b4527de8883e30a572ba43e4a9a00c8203ea Intel Server Board M10JN https://cdrdv2.intel.com/v1/dl/getContent/763460?explicitVersion=true
3c63aa14a9f7a2d0b70df86b78c94938e99d9cc7a7171a1cd6b46ba180526017 BIOS Update [INWHL357] https://downloadmirror.intel.com/779714/IN0048.CAP
3f164c145e44b4e649ceac4d9d820b3600459001e792e5667cbed3e01988a3ce BIOS Update [EDADLMIV] https://downloadmirror.intel.com/782531/EDADLMIV.0059.UEFI.zip
3fa66064557b4eea5754262efd77f3bf13c848339f5d67b3aa59659392fc2adf BIOS Update [L3RPL357] https://downloadmirror.intel.com/778293/L3RPL357.0027.UEFI.zip
3fc467d251f5a1225cf710ca8acd9e2fea82bbb5f8dcc91ff78d6609ffdb3e70 BIOS Update [EBTGL357] https://downloadmirror.intel.com/777627/EBTGL357.0072.UEFI.zip
45ccf82d37a645de8dd4331346848575643b32f48758a91410beb5d5643881b4 BIOS Update [SNADL357] https://downloadmirror.intel.com/779585/SNADL357.0057.RECOVERY.zip
460fda3a419e94caa56d17552e6acd4a67c678afb5b7e80b4651dda5956c54ac Intel Server Board M10JN https://cdrdv2.intel.com/v1/dl/getContent/736343?explicitVersion=true
49b698416642926dfff67d162739b42caec7ea1d2d99e3785ccbe4baceeeb179 BIOS Update [ANRPLV57] https://downloadmirror.intel.com/782091/ANRPLV57.0027.RECOVERY.zip
53e5d71a66235998e8a07efc55c9fd0f1fb3c82b56ad0a6a15cdf4c190d3997b BIOS Update [ATJSLCPX] https://downloadmirror.intel.com/781955/ATJSLCPX.0041.EBU.exe
559f0d06d88e21e4d5e32cbecb0dc1ee7ff1e48ad86080880b83f08d0dcb2f30 BIOS Update [PHTGL579] https://downloadmirror.intel.com/780708/PHTGL579.0073.UEFI.zip
68bdd7e47bff3f11c5dac21725e82f7ab8ce3e145b824d7ffda526faa87227db BIOS Update [CHAPLCEL] https://downloadmirror.intel.com/778399/CHAPLCEL.0062.UEFI.zip
68bfc1e640d50407708ce690fdcf121da49284fe759328cb32a5aa364e70dd50 BIOS Update [PATGL357] https://downloadmirror.intel.com/779451/PATGL357.0051.RECOVERY.zip
6beec19dfa153d5f591203df5520b7af83d316f2b74dbf0df563c81ead43a0db BIOS Update [L3RPLV57] https://downloadmirror.intel.com/778285/L3RPLV57.0027.UEFI.zip
6e59eea2c2bbab65dfdbe8efefdf3ff6131518038e320c10ee245537d12f1f14 BIOS Update [DBTGL579] https://downloadmirror.intel.com/780347/DBTGL579.0066.EBU.exe
76e7098e5140555662878fb7d254339bed06ea71dfdae9c738185f0fde5a2ebf BIOS Update [CBWHLMIV] https://downloadmirror.intel.com/780520/CBWHLMIV.0102.UEFI.zip
7bb7b4c804c41cc9d2af7830073d62e02456933cca7a31488cdcb9cea3208b7d BIOS Update [QXCFL579] https://downloadmirror.intel.com/778476/QX0072.cap
7f60c2a74d9628f5a47bfcc8fa11b4495d1d5cf7081757af9df8db3f79260b31 BIOS Update [SBRPL579] https://downloadmirror.intel.com/779239/SB0057.CAP
811c88ae90ff40e0ed70d32e07d50f459d6bd7f339549a0c75ae5f97e54a70d4 BIOS Update [HBADL357] https://downloadmirror.intel.com/781007/HBADL357.0055.UEFI.zip
8630ecb854f3616678c087cba616b2a7e4b437314fea9041c1c053ae8f1dfb4a BIOS Update [CBWHL357] https://downloadmirror.intel.com/780518/CBWHL357.0102.EBU.exe
9153b6df2b571faa1ed8b475a595c258e6e0304b1db5f2f1571880cbc5d57ebe BIOS Update [FNCML357] https://downloadmirror.intel.com/773261/FNCML357.0060.UEFI.zip
97252538268751eb652a6315ae8d9ba1c5e3f54e3ce754b1b2a14888b23c76d4 BIOS Update [EBTGLMIV] https://downloadmirror.intel.com/777626/EBTGLMIV.0072.RECOVERY.zip
9785c1630d2660d7ab4bd4e4f9fb503e0e52cac98bdb331ea96d74d25a48f752 BIOS Update [WSADLV57] https://downloadmirror.intel.com/780041/WSADLV57.0088.UEFI.zip
9bc278a285c474dbe7ebce3399034833803699ff8fe9e0955ba72ef79da5a7f3 BIOS Update [TNTGLV57] https://downloadmirror.intel.com/779612/TNv0073.CAP
a132cd6038454085a5d1fe961a70d08c7afb17c6a1b846a71ddb4c08edcae652 Intel Server Board M10JN https://cdrdv2.intel.com/v1/dl/getContent/726934?explicitVersion=true
b06dd937610292a565b84e7368535e03e4697ae902ece281b34a7a088346ce61 BIOS Update [IBRPLMIV] https://downloadmirror.intel.com/780605/IBRPLMIV.0023.UEFI.zip
b3d35859f7833cb1192e25e6874e23798d160752ece04fe08b6b2946607da733 BIOS Update [KCTGL357] f https://downloadmirror.intel.com/782615/KCTGL357.0045.RECOVERY.zip
cd22a14a6e5dc03b839ccb1f817747c060b2ce8fedbebfe3bc6541e4ac8b9d42 BIOS Update [PNWHL357] https://downloadmirror.intel.com/772570/PNWHL357.0050.EBU.exe
e871223077aedfb6983ab46ee71b1a1308797f2f0235b77b9cb4792d04d9f06f Intel Server Board M10JN https://cdrdv2.intel.com/v1/dl/getContent/643596?explicitVersion=true
ea519a5fd11f6a1955545f3c01fea145589b272c474f61c72437efda90f024bb Intel Server Board M10JN https://cdrdv2.intel.com/v1/dl/getContent/775723?explicitVersion=true
f7524d1cc17188ecb3b4105ed01eab3687cc286a444932df089b7b367caa77d8 BIOS Update [ANRPL357] https://downloadmirror.intel.com/782088/AN0027.CAP
f81c773d77d3985d078e4a0e1c9f4032fba8dde56756f37978dc77c9646e580a BIOS Update [WSADL357] https://downloadmirror.intel.com/780018/WS0088.CAP
f83e3885a41b84cfdea546c567f103f21b425ecc983d284cd4fc40a11959bb7d BIOS Update [HBADLMIV] https://downloadmirror.intel.com/781008/HBV0055.CAP
fb6626eb82c39eb6ea67f132da1433741955999628b745b219eb709fc234bf65 BIOS Update [ACADL357] f https://downloadmirror.intel.com/779713/AC0061.cap
fb88240af1fb6b4b3c7a23fcd6584450841237b609143d7b558a0a0f5bb1c3f5 BIOS Update [QNCFLX70] https://downloadmirror.intel.com/778479/QN0072.cap
fdbdc6ddf03015a1274c8b8056d2922e8900422092e816687d6515d0145ad8f2 BIOS Update [PNWHL57v] https://downloadmirror.intel.com/772572/PNWHL57v.0050.EBU.exe

How to fix it

The easiest way to fix this issue is to disable the support for customized logos. On the longer term, we recommended to support only BMP files and use well-tested BMP parsers to handle images. In case Intel wants to support multiple image file formats then we recommend to thoroughly test any image parsers before including them in Intel firmware.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity Date (YYYY-mm-dd)
AMI PSIRT is notified 2023-09-20
AMI PSIRT assigned CVE ID 2023-12-01
BINARLY public disclosure date 2024-01-22

Acknowledgements

BINARLY efiXplorer team

Tag list
Back to overview