Header bannerHeader banner
Advisory ID:
BRLY-2022-040

[BRLY-2022-040] The stack memory contents leak / information disclosure vulnerability in DXE driver.

November 16, 2023
Severity:
Medium
CVSS Score
6
Public Disclosure Date:
November 16, 2023

Summary

Binarly REsearch Team has discovered a stack memory contents leak / information disclosure vulnerability that allows a potencial attacker to write stack memory to NVRAM variable.
Vendors Affected Icon

Vendors Affected

Intel
Affected Products icon

Affected Products

Intel NUC M15 / BCTGL357 v0077 (Latest)

Potential Impact

An attacker with local privileged access can exploit this vulnerability to read the contents of the stack and use this information to exploit other vulnerabilities in DXE. A malicious code installed as a result of the vulnerability exploitation in a DXE driver could survive across an operating system (OS) boot process and runtime or modify NVRAM area on SPI flash storage (to gain persistence on target platform). Additionally, this vulnerability potentially could be used by threat actors to bypass OS security mechanisms (modify privileged memory or runtime variables), influence on the OS boot process, and in some cases would allow an attacker to hook or modify EFI Runtime services.

Summary

Binarly REsearch Team has discovered a stack memory contents leak / information disclosure vulnerability that allows a potencial attacker to write stack memory to NVRAM variable.

Vulnerability Information

  • BINARLY internal vulnerability identifier: BRLY-2022-040
  • Intel PSIRT assigned CVE identifier: CVE-2023-22356
  • Intel advisory: INTEL-SA-00917
  • CVSS v3.1: 6.0 Medium AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Affected Intel firmware confirmed to be impacted by Binarly REsearch Team

Device/Firmware File Name SHA256 (File PE32 section) File GUID
Intel NUC M15 / BCTGL357 v0077 (Latest) AMITSE 4c684ca2b4c09bb33e106399757c6d21f2fc511f71146b48bde03ef36c2259b6 B1DA0ADF-4F77-4070-A88E-BFFE1C60529A
Intel NUC M15 / BCTGL357 v0077 (Latest) - 7120c9acef8194c2ca1a746745432b04ba6b87e950113fe413c5f26c8f7d61c0 A2DF5376-C2ED-49C0-90FF-8B173B0FD066

Potential impact

An attacker with local privileged access can exploit this vulnerability to read the contents of the stack and use this information to exploit other vulnerabilities in DXE. A malicious code installed as a result of the vulnerability exploitation in a DXE driver could survive across an operating system (OS) boot process and runtime or modify NVRAM area on SPI flash storage (to gain persistence on target platform).Additionally, this vulnerability potentially could be used by threat actors to bypass OS security mechanisms (modify privileged memory or runtime variables), influence on the OS boot process, and in some cases would allow an attacker to hook or modify EFI Runtime services.

Vulnerability description

The vulnerability exists in the function located at offset 0xF02C.

__int64 sub_F02C()
{
  __int64 result;
  UINTN DataSize;
  __int64 Data;
  EFI_GUID VendorGuid;
  EFI_GUID BootFlowVariableGuid;
  UINT32 Attributes;
  UINT32 OsIndicationsAttributes;
  int BootFlowValue;
  __int64 OsIndicationsValue;

  sub_503C(0, 0, 0x18, 0x50);

  // EFI_SIMPLE_BOOT_FLAG_VARIABLE_GUID
  VendorGuid.Data1 = 0x8BE4DF61;
  *&VendorGuid.Data2 = 0x11D293CA;
  *VendorGuid.Data4 = 0xE0000DAA;
  *&VendorGuid.Data4[4] = 0x8C2B0398;

  Data = 1;
  DataSize = 8;
  Attributes = 6;
  BootFlowValue = 4;

  // BOOT_FLOW_VARIABLE_GUID
  BootFlowVariableGuid.Data1 = 0xEF152FB4;
  *&BootFlowVariableGuid.Data2 = 0x427D7B2F;
  *BootFlowVariableGuid.Data4 = 0xA7EB4BD;
  *&BootFlowVariableGuid.Data4[4] = 0x646E8205;
  if ( (gRT->GetVariable(L"OsIndicationsSupported", &VendorGuid, &Attributes, &DataSize, &Data) & 0x8000000000000000) == 0
    && DataSize )
  {
    Data |= 1;
  }
  result = gRT->SetVariable(L"OsIndicationsSupported", &VendorGuid, Attributes, DataSize, &Data);
  if ( result >= 0 )
  {
    DataSize = 8;
    result = gRT->GetVariable(L"OsIndications", &VendorGuid, &OsIndicationsAttributes, &DataSize, &OsIndicationsValue);
    if ( result >= 0 && (OsIndicationsValue & 1) != 0 )
    {
      gRT->SetVariable(L"BootFlow", &BootFlowVariableGuid, 2, 4, &BootFlowValue);
      OsIndicationsValue &= ~1;
      return gRT->SetVariable(L"OsIndications", &VendorGuid, OsIndicationsAttributes, DataSize, &OsIndicationsValue);
    }
  }
  return result;
}

Consider the following code snippet:

DataSize = 8;
if ( (gRT->GetVariable(L"OsIndicationsSupported", &VendorGuid, &Attributes, &DataSize, &Data) & 0x8000000000000000) == 0
  && DataSize )
{
  Data |= 1;
}
result = gRT->SetVariable(L"OsIndicationsSupported", &VendorGuid, Attributes, DataSize, &Data);

As we can see from the pseudocode, for the OsIndicationsSupported variable gRT->SetVariable() service is called with the DataSize value, which can be overwritten inside the gRT->GetVariable() service.

Thus, a potential attacker can write X - 8 bytes from the stack to NVRAM if writes any buffer of length X > 8 to the OsIndicationsSupported NVRAM variable before next system boot.

In order to fix this vulnerability, the DataSize variable must be initialized before gRT->SetVariable().

Disclosure timeline

This vulnerability is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the vulnerability report will become visible to the public.

Disclosure Activity Date (YYYY-MM-dd)
Intel PSIRT is notified 2022-12-19
Intel PSIRT assigned CVE number 2023-02-28
Intel PSIRT provide patch release 2023-08-08
BINARLY public disclosure date 2023-11-16

Acknowledgements

Binarly REsearch Team

Tags
No items found.
FWHunt
See if you are impacted now with our Firmware Vulnerability Scanner