This repository is used to disclose some details about CVE-2023-34853. The vulnerability appears in Supermicro motherboard X12DPG-QR 1.4b and will be fixed in version 1.5. In the SmcSecureErase file (GUID: 2B7C2FD1-C1CF-AB1D-C3BB-D1D691FB131E) within the BIOS firmware, there is a stack overflow vulnerability at offset 0x2CC2. The speculated code with the vulnerability is as follows:
char __fastcall sub_2C20(int *a1, unsigned __int64 a2) { char v4; // r12
unsigned __int64 v6; // r15
__int64 v7; // rbx
unsigned __int64 v8; // rax
char *v9; // rsi
char *v10; // r13
_WORD *v11; // rax
char *v12; // rcx
__int16 i; // dx
__int64 v14; // rdx
__int64 v15; // r8
__int64 v16; // rdx
__int64 v17; // r8
__int16 *v18; // rcx
_BYTE *v19; // rax
__int64 v20; // rcx
__int64 v21; // rax
_BYTE *v22; // rax
__int64 v23; // rcx
__int64 v24; // rax
__int64 v25; // rcx
__int64 v26; // rdx
unsigned __int8 v27; // cl
unsigned __int64 v28; // r14
unsigned __int8 v29; // r8
__int64 v30; // rdx
__int64 v31; // rax
int v32; // edx
__int64 v33; // rax
char v34; // al
_BYTE *v35; // [rsp+50h] [rbp-B0h] BYREF
_BYTE *v36; // [rsp+58h] [rbp-A8h] BYREF
_WORD *v37; // [rsp+60h] [rbp-A0h] BYREF
__int64 v38; // [rsp+68h] [rbp-98h] BYREF
__int64 v39[2]; // [rsp+70h] [rbp-90h] BYREF
char v40[112]; // [rsp+80h] [rbp-80h] BYREF
char v41[1680]; // [rsp+F0h] [rbp-10h] BYREF
char v42[5376]; // [rsp+780h] [rbp+680h] BYREF
char v44; // [rsp+1CA0h] [rbp+1BA0h]
int v45; // [rsp+1CA8h] [rbp+1BA8h] BYREF
v39[0] = 0i64;
v44 = 0;
v37 = 0i64;
v4 = 0;
if ( (*(__int64 (__fastcall **)(__int16 *, __int64 *, _QWORD, __int64 *,_QWORD))(gRT ->GetVariable))( aSmcsecurityera, &VendorGuid, 0i64, v39, 0i64) != 0x8000000000000005ui64 ) return 0;
v6 = 0i64;
v7 = (*(__int64 (__fastcall **)(__int16 *, __int64 *, _QWORD, __int64 *, char *))(gRT ->GetVariable))(aSmcsecurityera, &VendorGuid, 0i64, v39, v41); return v4; }
If "SmcSecurityEraseSetupVar" is set to a long string, the first call to GetVariable will modify v39 (DataSize) to the length of the string. Then, the second call to GetVariable will overwrite v41. This will result in a buffer overflow attack. An attacker who has local privileged access can take advantage of this vulnerability to increase privileges from ring 3 or ring 0 (depending on the operating system) to a DXE Runtime UEFI application and execute arbitrary code.
Finally, special thanks to Supermicro's security department for their continuous follow-up.