Giters

risuxx / CVE-2023-34853

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2023-34853

This repository is used to disclose some details about CVE-2023-34853. The vulnerability appears in Supermicro motherboard X12DPG-QR 1.4b and will be fixed in version 1.5. In the SmcSecureErase file (GUID: 2B7C2FD1-C1CF-AB1D-C3BB-D1D691FB131E) within the BIOS firmware, there is a stack overflow vulnerability at offset 0x2CC2. The speculated code with the vulnerability is as follows:

char __fastcall sub_2C20(int *a1, unsigned __int64 a2) { char v4; // r12
  unsigned __int64 v6; // r15
  __int64 v7; // rbx
  unsigned __int64 v8; // rax
  char *v9; // rsi
  char *v10; // r13
  _WORD *v11; // rax
  char *v12; // rcx
  __int16 i; // dx
  __int64 v14; // rdx
  __int64 v15; // r8
  __int64 v16; // rdx
  __int64 v17; // r8
  __int16 *v18; // rcx
  _BYTE *v19; // rax
  __int64 v20; // rcx
  __int64 v21; // rax
  _BYTE *v22; // rax
  __int64 v23; // rcx
  __int64 v24; // rax
  __int64 v25; // rcx
  __int64 v26; // rdx
  unsigned __int8 v27; // cl
  unsigned __int64 v28; // r14
  unsigned __int8 v29; // r8
  __int64 v30; // rdx
  __int64 v31; // rax
  int v32; // edx
  __int64 v33; // rax
  char v34; // al
  _BYTE *v35; // [rsp+50h] [rbp-B0h] BYREF
  _BYTE *v36; // [rsp+58h] [rbp-A8h] BYREF
  _WORD *v37; // [rsp+60h] [rbp-A0h] BYREF
  __int64 v38; // [rsp+68h] [rbp-98h] BYREF
  __int64 v39[2]; // [rsp+70h] [rbp-90h] BYREF
  char v40[112]; // [rsp+80h] [rbp-80h] BYREF
  char v41[1680]; // [rsp+F0h] [rbp-10h] BYREF
  char v42[5376]; // [rsp+780h] [rbp+680h] BYREF
  char v44; // [rsp+1CA0h] [rbp+1BA0h]
  int v45; // [rsp+1CA8h] [rbp+1BA8h] BYREF
  v39[0] = 0i64;
  v44 = 0;
  v37 = 0i64;
  v4 = 0;
  if ( (*(__int64 (__fastcall **)(__int16 *, __int64 *, _QWORD, __int64 *,_QWORD))(gRT ->GetVariable))( aSmcsecurityera, &VendorGuid, 0i64, v39, 0i64) != 0x8000000000000005ui64 ) return 0;
  v6 = 0i64;
  v7 = (*(__int64 (__fastcall **)(__int16 *, __int64 *, _QWORD, __int64 *, char *))(gRT ->GetVariable))(aSmcsecurityera, &VendorGuid, 0i64, v39, v41); return v4; }

If "SmcSecurityEraseSetupVar" is set to a long string, the first call to GetVariable will modify v39 (DataSize) to the length of the string. Then, the second call to GetVariable will overwrite v41. This will result in a buffer overflow attack. An attacker who has local privileged access can take advantage of this vulnerability to increase privileges from ring 3 or ring 0 (depending on the operating system) to a DXE Runtime UEFI application and execute arbitrary code.

Finally, special thanks to Supermicro's security department for their continuous follow-up.

About