.webp)
BINARLY efiXplorer team has discovered a memory contents leak / information disclosure vulnerability that allows a potential attacker to dump stack memory or global memory into an NVRAM variable. This in turn could help building a successful attack vector based on exploiting a memory corruption vulnerability.
An attacker with high physical access can exploit this vulnerability to read the contents of stack memory or global memory. This information could help with explotation of other vulnerabilities in DXE to elevate privileges from ring 3 or ring 0 (depends on the operating system) to a DXE driver and execute arbitrary code. Malicious code installed as a result of this exploitation could survive operating system (OS) boot process and runtime, or modify NVRAM area on the SPI flash storage (to gain persistence). Additionally, threat actors could use this vulnerability to bypass OS security mechanisms (modify privileged memory or runtime variables), influence OS boot process, and in some cases allow an attacker to hook or modify EFI Runtime services.
Let's take Edge Gateway 3200's firmware (version: 103, module sha256: 5402ef8606a15e7dc157179ac4f84c03e17463184810140c971e8c71c64843be) as an example.
The following code in the module actually allows leaking memory:
gRT->GetVariable() offset: 0x14f7gRT->SetVariable() offset: 0x152b__int64 __fastcall sub_7D8(unsigned __int64 a1, _DWORD *a2)
{
__int64 v2; // rdi
unsigned __int8 v5; // si
__int64 (__fastcall **v6)(__int64); // rax
char *v7; // rax
__int64 (__fastcall **v8)(__int64); // rax
__int64 (__fastcall **v9)(__int64); // rax
__int64 (__fastcall **v10)(__int64); // rax
int v11; // ecx
int v12; // ecx
int v13; // ecx
int v14; // ecx
int v15; // ecx
int v16; // ecx
int v17; // ecx
int v18; // ecx
char *v19; // rsi
_DWORD *v20; // rdx
unsigned __int8 (__fastcall **v21)(__int64); // rax
unsigned __int8 (__fastcall **v22)(__int64); // rax
char v23; // bl
unsigned __int64 v24; // r10
unsigned __int64 v25; // rdx
unsigned int v26; // ecx
bool v27; // zf
_BYTE *v28; // rcx
unsigned int v29; // eax
char v30; // cl
unsigned int v31; // r8d
int v32; // esi
__int64 v33; // rax
unsigned int (__fastcall **v34)(__int64); // rax
unsigned __int64 v35; // rcx
unsigned __int64 v36; // rdx
unsigned __int64 v38; // [rsp+30h] [rbp-D0h] BYREF
void *v39; // [rsp+38h] [rbp-C8h] BYREF
__int64 v40; // [rsp+40h] [rbp-C0h] BYREF
char *v41[2]; // [rsp+48h] [rbp-B8h] BYREF
void *Interface; // [rsp+58h] [rbp-A8h] BYREF
__int64 v43; // [rsp+60h] [rbp-A0h] BYREF
char v44[656]; // [rsp+70h] [rbp-90h] BYREF
char Data[519]; // [rsp+300h] [rbp+200h] BYREF
char v46; // [rsp+507h] [rbp+407h]
char v47; // [rsp+5E0h] [rbp+4E0h] BYREF
int v48; // [rsp+5E8h] [rbp+4E8h] BYREF
UINT32 Attributes; // [rsp+5F0h] [rbp+4F0h] BYREF
UINTN DataSize; // [rsp+5F8h] [rbp+4F8h] BYREF
v2 = 0i64;
v27 = *a1 == 1396916550;
v5 = 0;
v38 = 1i64;
if ( !v27 && *a1 != 1413763908 )
{
v6 = sub_913C();
v7 = v6[5](391i64);
if ( (a1 + 10) != v7 )
sub_280((a1 + 10), v7, 6ui64);
if ( *a1 != 1413763923 )
{
v8 = sub_913C();
*(a1 + 16) = v8[4](272i64);
v9 = sub_913C();
*(a1 + 24) = v9[3](392i64);
v10 = sub_913C();
*(a1 + 28) = v10[3](390i64);
*(a1 + 32) = 16777235;
}
}
gBS->LocateProtocol(&EFI_PCI_ROOT_BRIDGE_IO_PROTOCOL_GUID, 0i64, &Interface);
gBS->LocateProtocol(&EFI_PI_MP_SERVICES_PROTOCOL_GUID, 0i64, &v39);
(*v39)(v39, &v38, &v43);
v11 = *a1;
*a2 = 14;
v12 = v11 - 1128878145;
if ( !v12 )
{
sub_8688(v39, v38);
v35 = a1 + 44;
v36 = a1 + *(a1 + 4);
if ( a1 + 44 < v36 )
{
do
{
if ( !*v35 )
{
if ( v5 >= v38 )
{
*(v35 + 4) = 0;
*(v35 + 3) = -1;
}
else
{
*(v35 + 4) = *&byte_11280[8 * v5 + 4];
*(v35 + 3) = byte_11280[8 * v5 + 1];
}
*(v35 + 2) = v5++;
}
v35 += *(v35 + 1);
}
while ( v35 < v36 );
}
return 0i64;
}
v13 = v12 - 66908940;
if ( !v13 )
{
*(a1 + 44) = 3221225472i64;
v34 = sub_913C();
*(a1 + 55) = (v34[3](298i64) >> 20) - 1;
*(a1 + 4) -= 16;
return 0i64;
}
v14 = v13 - 100339459;
if ( !v14 )
{
DataSize = 656i64;
gRT->GetVariable(L"SaSetup", &SA_SETUP_VARIABLE_GUID, 0i64, &DataSize, Data);
DataSize = 8i64;
if ( !gRT->GetVariable(L"PRAM_Conf", &EFI_PRAM_CONF_GUID, 0i64, &DataSize, &v47) && v47 != v46 )
{
DataSize = 656i64;
gRT->GetVariable( // <= first call (we can rewrite DataSize here)
L"SaSetup",
&SA_SETUP_VARIABLE_GUID,
&Attributes,
&DataSize,
v44);
v44[519] = v47;
gRT->SetVariable( // <= second call
L"SaSetup",
&SA_SETUP_VARIABLE_GUID,
Attributes,
DataSize,
v44);
gRT->ResetSystem(EfiResetWarm, 0i64, 0i64, 0i64);
v41[1] = 0i64;
while ( 1 )
;
}
v47 = v46;
gRT->SetVariable(L"PRAM_Conf", &EFI_PRAM_CONF_GUID, 7u, 1ui64, &v47);
if ( v47 )
{
switch ( v47 )
{
case '1':
v32 = 0x400000;
break;
case '2':
v32 = 0x1000000;
break;
case '3':
v32 = 0x4000000;
break;
default:
v32 = 0;
break;
}
v33 = sub_93CC(&SI_MEMORY_PLATFORM_DATA_GUID);
if ( v33 )
v2 = *(v33 + 64) << 20;
*(a1 + 36) = v2;
*(a1 + 44) = v32;
}
return 0i64;
}
v15 = v14 - 117633269;
if ( v15 )
{
v16 = v15 - 4095;
if ( v16 )
{
v17 = v16 - 12;
if ( !v17 )
{
*a2 = 2;
return 0i64;
}
v18 = v17 - 3;
if ( v18 )
{
if ( v18 == 64757 )
{
if ( byte_1095F )
{
*(a1 + 44) = 4275044352i64;
return 0i64;
}
goto LABEL_16;
}
}
else
{
v19 = (a1 + 16);
if ( (a1 + 16) == byte_B030 || !sub_2E0((a1 + 16), byte_B030, 3i64) )
*a2 = 1;
if ( v19 == aTherSds || !sub_2E0((a1 + 16), aTherSds, 8i64) )
*a2 = 1;
if ( v19 == aTherRvp || !sub_2E0((a1 + 16), aTherRvp, 8i64) )
{
v20 = a1;
if ( a1 < *(a1 + 4) + a1 - 4 )
{
do
{
if ( *v20 > 0x3343415Fu )
{
switch ( *v20 )
{
case 0x334C415F:
if ( *(v20 - 1) == 8 && !byte_103D2 )
*v20 = 860635480;
break;
case 0x3443415F:
if ( *(v20 - 2) == 20 && !byte_103D2 )
*v20 = 876822872;
break;
case 0x344C415F:
if ( *(v20 - 1) == 8 && !byte_103D2 )
*v20 = 877412696;
break;
case 0x4C53505F:
if ( *(v20 - 3) == 20 && !byte_103D3 )
*v20 = 1280528472;
break;
case 0x5053545F:
if ( *(v20 - 2) == 20 && !byte_103D3 )
*v20 = 1347638360;
break;
case 0x5452435F:
if ( *(v20 - 3) == 20 && !byte_103D4 )
*v20 = 1414677336;
break;
default:
if ( *v20 == 1448300639 && *(v20 - 3) == 20 && !byte_103D3 )
*v20 = 1448300632;
break;
}
}
else
{
switch ( *v20 )
{
case 0x3343415F:
if ( *(v20 - 2) == 20 && !byte_103D2 )
*v20 = 860045656;
break;
case 0x3043415F:
if ( *(v20 - 3) == 20 && !byte_103D2 )
*v20 = 809714008;
break;
case 0x304C415F:
if ( *(v20 - 1) == 8 && !byte_103D2 )
*v20 = 810303832;
break;
case 0x3143415F:
if ( *(v20 - 2) == 20 && !byte_103D2 )
*v20 = 826491224;
break;
case 0x3143545F:
if ( *(v20 - 2) == 20 && !byte_103D3 )
*v20 = 826496088;
break;
case 0x314C415F:
if ( *(v20 - 1) == 8 && !byte_103D2 )
*v20 = 827081048;
break;
case 0x3243415F:
if ( *(v20 - 2) == 20 && !byte_103D2 )
*v20 = 843268440;
break;
case 0x3243545F:
if ( *(v20 - 2) == 20 && !byte_103D3 )
*v20 = 843273304;
break;
default:
if ( *v20 == 843858271 && *(v20 - 1) == 8 && !byte_103D2 )
*v20 = 843858264;
break;
}
}
v20 = (v20 + 1);
}
while ( v20 < *(a1 + 4) + a1 - 4 );
}
}
if ( v19 == aEhlRvp || !sub_2E0(v19, aEhlRvp, 8i64) || v19 == aEhlCrb || !sub_2E0(v19, aEhlCrb, 8i64) )
{
v27 = byte_10469 == 1;
*a2 = 1;
if ( v27 )
{
if ( v19 == aEhlRvp || !sub_2E0(v19, aEhlRvp, 8i64) )
{
v21 = sub_913C();
if ( v21[6](74i64) )
*a2 = 14;
}
if ( v19 == aEhlCrb || !sub_2E0(v19, aEhlCrb, 8i64) )
{
v22 = sub_913C();
if ( v22[6](73i64) )
*a2 = 14;
}
}
}
}
return 0i64;
} v40 = 0i64;
*a2 = 1;
v23 = 0;
sub_945C(0, v41, &v40);
v24 = *(v41[0] + 10);
v25 = v24;
if ( v24 >= *(&word_4 + v24) + v24 - 4 )
return 0i64;
while ( 1 )
{
v26 = *v25;
if ( *v25 > 0x35305250u )
{
if ( v26 > 0x384C415F )
{
if ( v26 > 0x4C44455F )
{
switch ( v26 )
{
case 0x4C53505Fu:
if ( *(v25 - 3) == 20 && !byte_103D3 )
*v25 = 1280528472;
break;
case 0x5053545Fu:
if ( *(v25 - 2) == 20 && !byte_103D3 )
*v25 = 1347638360;
break;
case 0x53564E47u:
if ( *(v25 - 1) == 0x80 )
{
*(v25 + 6) = qword_FDA0;
*(v25 + 11) = 2583;
}
break;
case 0x5452435Fu:
if ( *(v25 - 3) == 20 && !byte_103D4 )
*v25 = 1414677336;
break;
default:
if ( v26 == 1448300639 && *(v25 - 3) == 20 && !byte_103D3 )
*v25 = 1448300632;
break;
}
goto LABEL_259;
}
if ( v26 == 1279542623 )
{
if ( byte_FEBD && *(v25 - 1) == 8 )
*v25 = 1279542616;
goto LABEL_259;
}
if ( v26 != 959468112 )
{
switch ( v26 )
{
case 0x3943415Fu:
if ( *(v25 - 2) == 20 && !byte_103D2 )
*v25 = 960708952;
break;
case 0x394C415Fu:
if ( *(v25 - 1) == 8 && !byte_103D2 )
*v25 = 961298776;
break;
case 0x4154535Fu:
if ( byte_FEBD && *(v25 - 3) == 20 && v23 )
{
*v25 = 1096045400;
v23 = 0;
}
break;
default:
if ( v26 == 1262699615 && byte_FEBD && *(v25 - 3) == 20 )
*v25 = 1262699608;
break;
}
goto LABEL_259;
}
}
else
{
if ( v26 == 944521567 )
{
if ( *(v25 - 1) == 8 && !byte_103D2 )
*v25 = 944521560;
goto LABEL_259;
}
if ( v26 > 0x364C415F )
{
if ( v26 != 925913680 )
{
if ( v26 == 927154527 )
{
if ( *(v25 - 2) == 20 && !byte_103D2 )
*v25 = 927154520;
goto LABEL_259;
}
if ( v26 == 927744351 )
{
if ( *(v25 - 1) == 8 && !byte_103D2 )
*v25 = 927744344;
goto LABEL_259;
}
if ( v26 != 942690896 )
{
if ( v26 == 943931743 && *(v25 - 2) == 20 && !byte_103D2 )
*v25 = 943931736;
goto LABEL_259;
}
}
}
else
{
if ( v26 == 910967135 )
{
if ( *(v25 - 1) == 8 && !byte_103D2 )
*v25 = 910967128;
goto LABEL_259;
}
if ( v26 != 892424784 )
{
if ( v26 == 893600095 )
{
if ( *(v25 - 2) == 20 && !byte_103D2 )
*v25 = 893600088;
goto LABEL_259;
}
if ( v26 == 894189919 )
{
if ( *(v25 - 1) == 8 && !byte_103D2 )
*v25 = 894189912;
goto LABEL_259;
}
if ( v26 != 909136464 )
{
if ( v26 == 910377311 && *(v25 - 2) == 20 && !byte_103D2 )
*v25 = 910377304;
goto LABEL_259;
}
}
}
}
LABEL_120:
if ( !byte_FEBD )
{
v28 = v25;
if ( (v25 + 20 >= v25 ? 0x15 : 0) != 0 )
{
do
{
if ( *v28 == 1346716767 )
*v28 = 88;
++v28;
}
while ( &v28[1 - v25] <= (v25 + 20 >= v25 ? 0x15 : 0) );
}
}
goto LABEL_259;
}
if ( v26 == 892359248 )
goto LABEL_120;
if ( v26 > 0x3243415F )
break;
if ( v26 == 843268447 )
{
if ( *(v25 - 2) == 20 && !byte_103D2 )
*v25 = 843268440;
goto LABEL_259;
}
if ( v26 > 0x31315250 )
{
switch ( v26 )
{
case 0x3143415Fu:
if ( *(v25 - 2) == 20 && !byte_103D2 )
*v25 = 826491224;
goto LABEL_259;
case 0x3143545Fu:
if ( *(v25 - 2) == 20 && !byte_103D3 )
*v25 = 826496088;
goto LABEL_259;
case 0x314C415Fu:
if ( *(v25 - 1) == 8 && !byte_103D2 )
*v25 = 827081048;
goto LABEL_259;
}
v29 = v26 - 842027600;
LABEL_139:
v27 = (v29 & 0xFFFEFFFF) == 0;
goto LABEL_119;
}
if ( ((v26 - 808473168) & 0xFEFEFFFF) == 0 && v26 != 825250384 )
goto LABEL_120;
switch ( v26 )
{
case 0x3043415Fu:
if ( *(v25 - 3) == 20 && !byte_103D2 )
*v25 = 809714008;
goto LABEL_259;
case 0x304A455Fu:
if ( byte_FEBD && *(v25 - 3) == 20 )
{
*v25 = 810173784;
v23 = 1;
}
goto LABEL_259;
case 0x304C415Fu:
if ( *(v25 - 1) == 8 && !byte_103D2 )
*v25 = 810303832;
goto LABEL_259;
}
v27 = v26 == 825250384;
LABEL_119:
if ( v27 )
goto LABEL_120;
LABEL_259:
if ( ++v25 >= *(v24 + 4) + v24 - 4 )
return 0i64;
}
if ( v26 > 0x3343415F )
{
if ( v26 == 860635487 )
{
if ( *(v25 - 1) == 8 && !byte_103D2 )
*v25 = 860635480;
goto LABEL_259;
}
if ( ((v26 - 875582032) & 0xFFFEFFFF) != 0 )
{
if ( v26 == 876822879 )
{
if ( *(v25 - 2) == 20 && !byte_103D2 )
*v25 = 876822872;
}
else if ( v26 == 877412703 && *(v25 - 1) == 8 && !byte_103D2 )
{
*v25 = 877412696;
}
goto LABEL_259;
}
goto LABEL_120;
}
switch ( v26 )
{
case 0x3343415Fu:
if ( *(v25 - 2) == 20 && !byte_103D2 )
*v25 = 860045656;
goto LABEL_259;
case 0x3243545Fu:
if ( *(v25 - 2) == 20 && !byte_103D3 )
*v25 = 843273304;
goto LABEL_259;
case 0x324C415Fu:
if ( *(v25 - 1) == 8 && !byte_103D2 )
*v25 = 843858264;
goto LABEL_259;
}
v29 = v26 - 858804816;
goto LABEL_139;
}
if ( !*(qword_FDA0 + 68) )
{
LABEL_16:
*a2 = 1;
return 0i64;
}
if ( (MEMORY[0xFD72C00C] & 1) != 0 )
{
v30 = 110;
}
else
{
v30 = 23;
v48 = 23;
v31 = *(qword_FDA0 + 2129);
if ( v31 )
{
sub_8FA0(v31, &v48);
v30 = v48;
}
}
*(a1 + 64) = v30;
return 0i64;
}The gRT->SetVariable() service is called with the DataSize as an argument, which will be overwritten inside the gRT->GetVariable() service if the length of SaSetup NVRAM variable is greater than 656.
Thus, a potential attacker can dump X - 656 bytes from the stack (or global memory) into SaSetup NVRAM variable by setting SaSetup NVRAM variable's size to X > 656.
To fix this vulnerability the DataSize must be re-initialized with the size of SaSetup before calling gRT->SetVariable().
This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
BINARLY efiXplorer team
.svg)