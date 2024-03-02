Binarly REsearch

The Binarly research team highlights the widespread risk of legacy unsafe code fragments distributed across the firmware supply chain and explains how these could lead to exploitable vulnerabilities.

The complexity of the firmware supply chain always implies additional risk due to its asynchronous nature. The tardy delivery of security fixes across the entire industry is a huge problem that is exacerbated by sometimes-unreasonable timeline extensions to release patches and a general tendency to reduce CVSS severity scores to mask real impact.

Another side of this coin are collisions in the firmware development and build systems that lead to the distribution of firmware images containing legacy artifacts. These artifacts are not reviewed or updated for extended periods and they are often vulnerable or include unsafe code fragments. The threat becomes higher when such issues are ignored even after being reported to firmware vendors. They keep these issues out of scope because this piece of code was not intended (and sometimes is not able) to run on a given device at all or even it is unreachable (a so-called, deadcode) in terms of execution flow.

However, it’s important for us to understand that this works both ways: if these artifacts appear somewhere by mistake and remain unreachable or unexploitable for years, what stops them from ending up where the context is different? What happens when they become reachable, exploitable and a real high-impact threat for a device's security? The firmware supply chain does not exclude the possibility of embedding such code into final products.

Just recently, the Binarly research team came across a very interesting UEFI firmware image for ARM-based devices. It contained a few modules compiled for x86 CPU architecture. Because there was no emulation environment present there, this may be a mistake. However, this sighting became a boiling point for us to share some cases of discovering these types of artifacts in firmware. We believe it is of critical importance to highlight the existing industry-wide risk of unsafe code distributed across the firmware supply chain.

These cases clearly show the critical importance of relying on binary-level analysis for better visibility and transparency of the firmware supply chain.

Back to x86 SMM: Escalating privileges from DXE to SMM by design

BRLY-2022-043

At OffensiveCon 2022 and OffensiveCon 2023, we demonstrated an unusual attack vector against UEFI firmware that allows escalating privileges to System Management Mode (SMM) from the DXE phase (during part of the boot process). Last year, we disclosed numerous vulnerabilities leading to arbitrary code execution in DXE (e.g. memory corruptions as a result of incorrect handling of EFI variables). Several times, we pointed out that a potential attacker with the ability to control execution flow during boot is capable of compromising not only the next stages of the boot process, but also to gain arbitrary code execution in a more isolated and privileged environment than kernel mode - SMM.

This is a result of not-so-obvious UEFI design and architectural weaknesses, such as:

During initialization routines of literally any SMM module, some standard SMM objects are extracted through EFI_BOOT_SERVICES->LocateProtocol() . F.i. EFI_BASE2_SMM_PROTOCOL is located this way, which is used to locate EFI_SMM_SYSTEM_TABLE2 ;

. F.i. is located this way, which is used to locate ; There is a lot of usage of EFI_BOOT_SERVICES inside SMM until SmmReadyToLock, even in SMM Core.

This specifically creates a window for hijacking the SMM execution flow during the SMM initialization process. Actually, the window is not limited to only a short time period in the beginning of DXE phase. The thing is, MM DEPEX sections create the delay for loading certain SMM modules making the IPL loader run a few loops over the modules list until all required modules are loaded into SMRAM and started. This could be enough for an attacker who gained arbitrary code execution in DXE to use aforementioned case 1 or 2 to hijack the SMM execution flow and escalate privileges to SMM. But all of the vulnerabilities we are discussing today allow a potential attacker to use an even wider time period for privilege escalation from DXE to SMM. Let’s build this attack vector using one of those vulnerabilities - BRLY-2022-043 (7.5 High) SMM callout vulnerability.

To prove this, we developed a PoC that is executed during the DXE phase that is constantly trying to access SMRAM during the boot process.

This experiment shows that there is a period of time during DXE while SMRAM is not yet locked and is accessible from non-SMM code. PoC: https://github.com/binarly-io/tools_pocs/tree/main/DxeSmmHook/DxeSmmHookSrc

BRLY-2021-049

This is an SMM memory corruption vulnerability in an SMM module called SaLateInitSmm {2D1E361C-7B3F-4D15-8B1F-66E551FABDC7} and in its IO TRAP SMI handler.

Our research team believes the exploitability of this bug in particular is not so trivial because the MMIO register (used for calculating the pointer) is locked during the boot process. However, an attacker that already achieved arbitrary code execution in DXE can use it in the beginning of DXE phase before this value is locked, and then corrupt some SMM memory to gain LPE to SMM. The potential attack vector is similar to the one described above. It opens yet another way of escalating privileges. This was the reason this was reported toIntel as a security issue.

BRLY-2022-005

The next bug is a similar issue described in BRLY-2021-049, but in another SMM module called UpdateMsrSmi {4B709C41-2066-4684-A92A-CFAE7C7563FC} . The MMIO register value is locked during the boot process, but there is a small window in DXE to use this bug as an LPE to SMM.

BRLY-2022-007

Another interesting primitive, BRLY-2022-007, was disclosed to firmware vendors back in 2022 and is still common in the wild. These two -- BRLY-2021-049 and BRLY-2022-007 -- will be difficult to exploit directly. However, the vulnerable primitive can be used in a chained exploit, allowing an attacker to elevate the privileges from DXE to the SMM. Look at this as a generic primitive to get from user mode to kernel mode on the operating system. Still, this one is more powerful because operating into the system firmware.

Firmware supply chain collisions: hidden threat posed by dead code

BRLY-2021-044

This one was a very special case discovered while looking into a UEFI application with a very credible name - TrustedDeviceSetupApp {658D56F0-4364-4721-B70E-732DDC8A2771} . For some reason, it contains code which is intended to run in the System Management Mode (SMM) environment. This code is vulnerable to a classical SMI callout attack.

There is even the registration routine inside the TrustedDeviceApp UEFI application:

Registering an SMI handler requires access to EFI_SMM_SYSTEM_TABLE2 (gSmst) , which is located in SMRAM and accessible only in SMM mode. In the beginning of the DXE phase, there is a time window before the SMRAM is not yet locked and SMM_Code_Chk mitigation is not enabled. However, running UEFI applications is performed much later. So, is there a way to run UEFI applications in SMM?

After a series of experiments we concluded that the child SW SMI handler from our report actually will never be registered and won’t be accessible at runtime. To summarize, this SMM code fragment looks like a linking error during the build process caused by some mess in EFI configuration files.

After some research we discovered the vulnerable SMM code fragment was a part of old EDKII code:

It appears it was removed from EDK2 code base in 2018: https://github.com/tianocore/edk2/commit/1101ffbf84158fc5094987d42fc404bd00fb16b4

At this point, the vulnerable code was in the source file:

SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c:

The discovered SMM callout is inside the AllocateZeroPool() routine that uses gBS->AllocatePool() , when EFI_BOOT_SERVICES (gBS) is outside of SMRAM. We believe the reason for exposing a vulnerable SMI handler was the architecture of this module, which requires a shared memory between DXE code and SMM.

To finally make sure this is the actual dead code that got into the TrustedDeviceSetupApp, let’s look at the following debug strings inside the module, showing us it was built with edk2 2017 code base:

Here we find that the incorrect use of the SecurityPkg package resulted in the linking of vulnerable code.

It appears to be just dead code inside the TrustedDeviceSetupApp that is not involved in the device’s work logic. However, this is a perfect example of how a mistake in a build configuration leads to linking a vulnerable code into a completely different module. In other circumstances, this code could be linked into an SMM module, making it possible to register a vulnerable SMI handler.

This appears to be a harmless mistake that created a high-severity security issue in the software supply chain.

Out of curiosity, using FwHunt on LVFS base, we checked where this component is present.

Lenovo ThinkPad L13 Lenovo ThinkPad L14 Gen 1 / L15 Gen 1 Lenovo ThinkPad L14 Gen 2 / L15 Gen 2 Lenovo ThinkPad P1 Gen 3/X1 Extreme 3rd Lenovo ThinkPad P1 Gen 4/X1 Extreme Gen 4 Lenovo ThinkPad P15 Gen 1/ P17 Gen 1/ P15g Gen 1/ T15p Gen 1/ P15v Gen 1 Lenovo ThinkPad P15 Gen 2i/ P17 Gen 2i/ T15g Gen 2i Lenovo ThinkPad T14 Gen 1/ P14s Gen 1 / T15 Gen 1 / P15s Gen 1 / T14 Gen 1 Healthcare Edition Lenovo ThinkPad T14 Gen 2 / P14s Gen 2 / T15 Gen 2 / P15s Gen 2 Lenovo ThinkPad T14s Gen 1 / ThinkPad X13 Gen 1 Lenovo ThinkPad T14s Gen 2 / X13 Gen 2 Lenovo ThinkPad T490 Lenovo ThinkPad X1 Carbon 7th / X1 Yoga 4th Lenovo ThinkPad X1 Carbon 9th / X1 Yoga 6th Lenovo ThinkPad X1 Carbon Gen 8 /X1 Yoga Gen 5 Lenovo ThinkPad X13YogaGen1 Lenovo ThinkPad X13YogaGen2 Lenovo ThinkPad X390 Lenovo ThinkStation M70A Star Labs StarBook MkV

Although the code in the devices listed above does not appear to be executable, our team regards it as a warning sign. The issue has been reported to Intel.

BRLY-2021-048

This is another vulnerability in the previously mentioned SMM module SaLateInitSmm {2D1E361C-7B3F-4D15-8B1F-66E551FABDC7} that is is also a classic callout via locating or calling (depends on was it already located or not before a possible attacker calls this SMI).

The vulnerability appeared to be not exploitable on the target device in a given configuration, which doesn't allow the vulnerable IO TRAP SMI handler to be registered during boot. Keeping in mind the complexities of the firmware supply chain, this module could be exploitable on other devices with different configurations. We don’t believe this code is just a dead code everywhere. It also doesn’t look like a consequence of linking error, nor it looks like a code used for debugging purposes. The availability of the vulnerable SMI handler depends strictly on device configuration. This issue was reported to Intel

The vulnerability was found to be non-exploitable on the targeted device due to its specific configuration, which prevents the registration of the vulnerable IO TRAP SMI handler during boot-up. However, considering the complexities inherent in the firmware supply chain, this issue may be exploitable on devices with alternate configurations. We maintain that this code is not merely redundant across all contexts; it does not appear to be the result of a linking error or to have been intended solely for debugging purposes. The activation of the vulnerable SMI handler is strictly dependent on the configuration of the device. This issue has been reported to Intel.

BRLY-2021-052

This vulnerability in module 017D {C3145BF3-201E-4838-88CD-8F5B7F7759A2} is a classic SMM memory corruption via SMM Communication Buffer.

This issue was reported to Intel but they responded to the report in the same manner: the issue is not exploitable on the device, keeping in mind its configuration. This means the vulnerable SMI handler will never be registered and hence, the abovementioned code will never be executed on it.

Conclusions

Securing the software supply chain is a very complex problem. Existing solutions in the market are incapable of addressing the problem in a meaningful way. Analyzing source code before it gets compiled and resolving all the dependencies creates a lot of blindspots for modern SCA (Software Composition Analysis) tools.

This research provides a great data point to prove that with confidence because all the device manufacturer firmware tested in this blog, including source code audit with existing solutions, missed these problems. The modern complexity of the system firmware outpaces the ability of the existing solutions to detect the problems before the software gets deployed, and external researchers and threat actors will discover problems.

It’s clearly not enough to provide cover for known vulnerabilities connected to the version of the top component and not look for the vulnerable code primitives or weak code patterns inside the compiled binary. That’s precisely why we created Binarly and we’re excited to build technology to solve this problem in an entirely different way.

