The stack buffer overflow vulnerability leads to arbitrary code execution during DXE phase.
BINARLY efiXplorer team has discovered a stack buffer overflow vulnerability that allows an attacker to execute arbitrary code.
Image preview
Potential Impact
An attacker with local privileged access can exploit this vulnerability to elevate privileges from ring 3 or ring 0 (depends on the operating system) to a DXE Runtime UEFI application and execute arbitrary code. A malicious code installed as a result of the vulnerability exploitation in a DXE driver could survive across an operating system (OS) boot process and runtime or modify NVRAM area on SPI flash storage (to gain persistence on target platform). Additionally, this vulnerability potentially could be used by threat actors to bypass OS security mechanisms (modify privileged memory or runtime variables), influence on the OS boot process, and in some cases would allow an attacker to hook or modify EFI Runtime services.
Image preview
Vulnerability Information
- BINARLY internal vulnerability identifier: BRLY-2022-030
- Qualcomm PSIRT assigned CVE identifier: CVE-2022-40517
- CVSS v3.1 Score 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Image preview
Affected Lenovo firmware
| Firmware | Module name | Module SHA256 | File GUID |
|---|---|---|---|
N3HET53W/$0AN3H00.FL1 | PILDxe | 95b3cab1f1ee002ece2a7675f89fe8b0bdcf62b528cfb6ed371170b45ff407a7 | 1d317734-4083-47c6-83ea-e3a42f2a6bff |
Image preview
Vulnerability description
The vulnerability exists in the function located at offset 0x3F5C in the binary.
Consider the following code snippet:
...
AsciiStrToUnicodeStr(&Name, VariableName);
StrCatS(VariableName, 0x80, L".Type");
Flag = 0;
if ( !(gRT->GetVariable)(VariableName, &gVariableGuid, 0, &DataSize, VariableValue) )
{
Flag = 1;
dword_1E630 = VariableValue[0];
}
AsciiStrToUnicodeStr(&Name, VariableName);
StrCatS(VariableName, 0x80, L".FwName");
if ( !(gRT->GetVariable)(VariableName, &gVariableGuid, 0, &DataSize, VariableValue) )
{
sub_9B38(word_1E634, 0x1F, VariableValue, 0x1F);
Flag = 1;
}
AsciiStrToUnicodeStr(&Name, VariableName);
StrCatS(VariableName, 0x80, L".PartiLabel");
if ( !(gRT->GetVariable)(VariableName, &gVariableGuid, 0, &DataSize, VariableValue) )
{
sub_9B38(word_1E674, 0x1F, VariableValue, 0x1F);
Flag = 1;
}
AsciiStrToUnicodeStr(&Name, VariableName);
StrCatS(VariableName, 0x80, L".PartiRootGuid");
if ( !(gRT->GetVariable)(VariableName, &gVariableGuid, 0, &DataSize, VariableValue) )
{
sub_8E98(&byte_1E6B4, VariableValue);
Flag = 1;
}
AsciiStrToUnicodeStr(&Name, VariableName);
StrCatS(VariableName, 0x80, L".PartiGuid");
if ( !(gRT->GetVariable)(VariableName, &gVariableGuid, 0, &DataSize, VariableValue) )
{
sub_8E98(&byte_1E6C4, VariableValue);
Flag = 1;
}
AsciiStrToUnicodeStr(&Name, VariableName);
StrCatS(VariableName, 0x80, L".ImagePath");
if ( !(gRT->GetVariable)(VariableName, &gVariableGuid, 0, &DataSize, VariableValue) )
{
sub_9B38(word_1E6D4, 0x1F, VariableValue, 0x1F);
Flag = 1;
}
...
As we can see from the pseudocode, DataSize does not initialized before each call to gRT->GetVariable(). In this case a potential attacker can trigger the stack buffer overflow and execute the arbitrary code. This requires changing two NVRAM variable values: the first to override DataSize and the second to overwrite the return address.
In order to fix this vulnerability, the DataSize variable must be initialized before each call to gRT->GetVariable().
Image preview
Disclosure timeline
This vulnerability is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the vulnerability report will become visible to the public.
| Disclosure Activity | Date (YYYY-mm-dd) |
|---|---|
Qualcomm PSIRT is notified | 2022-10-21 |
Qualcomm PSIRT confirmed reported issue | 2022-10-30 |
Qualcomm PSIRT assigned CVE number | 2022-12-19 |
Qualcomm PSIRT provide patch release | 2023-01-03 |
BINARLY public disclosure date | 2023-01-09 |
Image preview
Acknowledgements
Image preview
See if you are impacted now with our Firmware Vulnerability Scanner
Find Vulnerabilities, Generate SBOMs & CBOMs