There is a vulnerability in the latest(version 1.21) firmware of Acer Aspire E5-475G, which could lead to arbitrary code execution in UEFI DXE phase.
NOTICE: The Acer security team claims that the device is end of service, and would not be update any more.
Vulnerability Description
The vulnerability exists due to incorrect use of the gRT->GetVariable service in the module FpGui.
__int64 __fastcall sub_356A8(__int64 a1, __int64 a2, __int64 a3, double a4)
{
__int64 v50[13]; // [rsp+88h] [rbp-11h] BYREF
// .... initialization
DataSize = 8i64;
// .......
v5 = gRT->GetVariable((CHAR16 *)L"DataAddress", &v44, 0i64, &DataSize, v50);
if ( v5 )
{
v5 = gRT->GetVariable((CHAR16 *)L"DataAddress", &v44, 0i64, &DataSize, v50);
if ( v5 )
{
sub_35658();
return v11;
}
}
// ......
}In the function located in offset 0x356A8 (IDA function sub_356A8), it invokes GetVariable to retrieve the value of DataAddress.
The function sub_356A8 is invoked in sub_355E4, and sub_355E4 is directly called in the module entry.
As we can see above, the DataSize is set to 8 as default.
But if the first call fails, which would return a non-zero value(v5), it would invoke GetVariable again (if section).
The problem is that the DataSize field is not reassigned, and there is no comparison between the buffer size and the DataSize value.
If the value of DataAddress is larger than expected, the DataSize field would be write to the real size of the DataSize variable.
Thus may cause a stack buffer overflow.
Noticed that the v50 variable is located on the stack(rbp-11h), it is easy to overwrite the stack frame and hijack the control flow.
As a result, the attacker can exploit the vulnerability to gain code execution privilege in UEFI DXE phase and implant persistent backdoor to the affected devices.
Credit
The vulnerability credits to Zichuan Li(@river-li) from Wuhan University.