Header bannerHeader banner
Advisory ID:
BRLY-2022-035

[BRLY-2022-035] Stack memory leak vulnerability in DXE driver.

January 9, 2023
Severity:
Medium
CVSS Score
6
Public Disclosure Date:
January 9, 2023

Summary

Binarly REsearch Team has discovered a stack memory leak vulnerability that allows a potential attacker to write stack memory to NVRAM variable.
Vendors Affected Icon

Vendors Affected

Lenovo
Qualcomm
Affected Products icon

Affected Products

ThinkPad X13s Gen 1

Potential Impact

An attacker with local privileged access can exploit this vulnerability to read the contents of the stack and use this information to exploit other vulnerabilities in DXE. A malicious code installed as a result of the vulnerability exploitation in a DXE driver could survive across an operating system (OS) boot process and runtime or modify NVRAM area on SPI flash storage (to gain persistence on target platform). Additionally, this vulnerability potentially could be used by threat actors to bypass OS security mechanisms (modify privileged memory or runtime variables), influence on the OS boot process, and in some cases would allow an attacker to hook or modify EFI Runtime services.

Summary

Binarly REsearch Team has discovered a stack memory leak vulnerability that allows a potential attacker to write stack memory to NVRAM variable.

Vulnerability Information

  • BINARLY internal vulnerability identifier: BRLY-2022-035
  • Lenovo PSIRT assigned CVE identifier: CVE-2022-4434
  • CVSS v3.1 Score 6.0 Medium AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Affected Lenovo firmwares with confirmed impact by Binarly REsearch Team

Fimware Module name Module SHA256 File GUID
N3HET74W/$0AN3H00.FL1 SystemErrorMenuDxe b8ec9208998c62154c4ea1208c72609f56c770c11953b0c59466e752bbc562ca BD6736AC-B126-4FEA-9D1D-174D4A899F22

Potential impact

An attacker with local privileged access can exploit this vulnerability to read the contents of the stack and use this information to exploit other vulnerabilities in DXE. A malicious code installed as a result of the vulnerability exploitation in a DXE driver could survive across an operating system (OS) boot process and runtime or modify NVRAM area on SPI flash storage (to gain persistence on target platform).Additionally, this vulnerability potentially could be used by threat actors to bypass OS security mechanisms (modify privileged memory or runtime variables), influence on the OS boot process, and in some cases would allow an attacker to hook or modify EFI Runtime services.

Vulnerability description

The pseudocode of the vulnerable function is shown below:

unsigned sub_2B18()
{
  // ...
  DataSize = 8;
  if ( (gRT->GetVariable(L"PwdUnlockErr", &gVariableGuid, 0, &DataSize, Value) & 0x8000000000000000) != 0 )
    v10 = 1;
  else
    v10 = *(v6 + 1);
  SetVariable = gRT->SetVariable;
  Value[0] = v10;
  SetVariable(L"PwdUnlockErr", &gVariableGuid, VARIABLE_ATTRIBUTE_NV_BS_RT, DataSize, Value);
  // ...
}

As we can see from the pseudocode, the gRT->SetVariable() service is called with the DataSize value, which can be overwritten inside the gRT->GetVariable() service.

Thus, a potential attacker can write X - 8 bytes from the stack to NVRAM if writes any buffer of length X > 8 to the PwdUnlockErr NVRAM variable.

In order to fix this vulnerability, the DataSize variable must be initialized before gRT->SetVariable():

  // ...
  DataSize = 8;
  if ( (gRT->GetVariable(L"PwdUnlockErr", &gVariableGuid, 0, &DataSize, Value) & 0x8000000000000000) != 0 )
    v10 = 1;
  else
    v10 = *(v6 + 1);
  SetVariable = gRT->SetVariable;
  Value[0] = v10;

  DataSize = 8; // <--- added
  SetVariable(L"PwdUnlockErr", &gVariableGuid, VARIABLE_ATTRIBUTE_NV_BS_RT, DataSize, Value);
  // ...

Disclosure timeline

This vulnerability is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the vulnerability report will become visible to the public.

Disclosure Activity Date (YYYY-mm-dd)
Lenovo PSIRT is notified 2022-10-24
Lenovo PSIRT confirmed reported issue 2022-12-16
Lenovo PSIRT assigned CVE number 2022-12-27
Lenovo PSIRT provide patch release 2023-01-03
BINARLY public disclosure date 2023-01-09

Acknowledgements

Binarly REsearch Team

Tags
No items found.
FWHunt
See if you are impacted now with our Firmware Vulnerability Scanner