Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
126 lines (90 sloc) 12.5 KB

[CLVA-2017-01-001]: Gigabyte BRIX arbitrary System Management Mode code execution

Summary

Cylance identified a vulnerability in the UEFI firmware for the Gigabyte GB-BSi7H-6500 and GB-BXi7-5775 platforms, which could allow arbitrary code execution in System Management Mode (ring -2) by programs running in ring 0.

Product Description

The Gigabyte BRIX is a common Mini-PC Barebone platform (via http://www.gigabyte.us/products/list.aspx?s=47&ck=104).

Affected Products

  • GB-BSi7H-6500 - UEFI firmware version: vF6 (2016/05/18)
  • GB-BXi7-5775 - UEFI firmware version: vF2 (2016/07/19)
  • Vulnerable code is located inside SMM driver: SmiFlash (GUID: BC327DBD-B982-4F55-9F79-056AD7E987C5)

Impact

An attacker can exploit this vulnerability to elevate privileges, execute arbitrary code in System Management Mode, and install a backdoor to the system at a firmware level.

Vulnerability Information

  • Cylance Identifier: CLVA-2017-01-001
  • CVE Identifier: CVE-2017-3197

Description

A vulnerability has been identified in one of the software System Management Interrupt (SWSMI) handlers in the UEFI firmware from American Megatrends Inc. (AMI) used in Gigabyte's GB-BSi7H-6500 and GB-BXi7-5775 platforms. The firmware for these models do not use the SPI Protected Ranges (PRx) flash write protection which would prevent an attacker from overwriting the SMRAM and gaining code execution in System Management Mode.

Impact

An attacker can exploit this vulnerability to elevate privileges, execute arbitrary code, and install a backdoor in System Management Mode. Backdoors installed at the SMM level could persist across operating system re-installs. Additionally, this vulnerability could be used to bypass UEFI firmware security mechanisms which would allow an attacker to modify the SPI flash image to infect the image with a rootkit or bootkit.

Attack Scenario

An attacker can send malicious requests to the vulnerable SMI handler from ring-0 (ring-0 execution can be obtained either through a kernel vulnerability or a vulnerable 3rd party driver such as Capcom.sys) to trigger the vulnerability and execute code in System Management Mode (SMM). The code executing in the SMM context can install a persistent rootkit/bootkit in the SPI flash chip which would persist across operating system installations.

Resolution

Gigabyte has released UEFI firmware version F7 to address this issue for the GB-BSi7H-6500 platform. However, the GB-BXi7-5775 is End Of Life (EOL), and therefore may not be receiving an update. Affected users should update the firmware as soon as possible. Firmware updates can be found at Gigabyte's Support Page.

Credit

  • Alex Matrosov, Principal Research Scientist, Cylance

Additional Information

Details for CLVA-2017-01-001

python chipsec_main.py -m tools.smm.smm_ptr -a fuzz,0x25:0x25 
  • Output information from Chipsec SMI fuzzer:
[CHIPSEC] API mode: using CHIPSEC kernel module API
[CHIPSEC] OS      : Windows 10 10.0.14393 AMD64
[CHIPSEC] Platform: Mobile 6th Generation Core Processor (Skylake U)
[CHIPSEC]      VID: 8086
[CHIPSEC]      DID: 1904

[+] loaded chipsec.modules.tools.smm.smm_ptr
[*] running loaded modules ..

[*] running module: chipsec.modules.tools.smm.smm_ptr
[*] Module path: c:\Chipsec\chipsec\modules\tools\smm\smm_ptr.pyc
[*] Module arguments (2):
['fuzz', '0x25:0x25']
[x][ =======================================================================
[x][ Module: A tool to test SMI handlers for pointer validation vulnerabilities
[x][ =======================================================================


[*] Allocated memory buffer (to pass to SMI handlers)       : 0x0000000087773000
[*] Allocated 2nd buffer (address will be in the 1st buffer): 0x0000000087772000

[*] Configuration
    SMI testing mode          : fuzzmore
    Range of SMI codes (B2)   : 0x25:0x25
    Memory buffer pointer     : 0x0000000087773000 (address passed in GP regs to SMI)
    Filling/checking memory?  : YES
      Second buffer pointer   : 0x0000000087772000 (address written to memory buffer)
      Number of bytes to fill : 0x500
      Byte to fill with       : 0x11
    Additional options (can be changed in the source code):
      Fuzzing SMI functions in ECX?          : 1
      Max value of SMI function in ECX       : 0x10
      Max value of SMI data (B3)             : 0x100
      Max offset of the pointer in the buffer: 0x20
      Passing pointer in all GP registers?   : 0
      Default values of the registers        : 0x5A5A5A5A5A5A5A5A
      Dump all register values every SMI     : 0
      Bail on first detection                : 1

[*] >>> Fuzzing SMI handlers..
[*] AX in RAX will be overwridden with values of SW SMI ports 0xB2/0xB3
    DX in RDX will be overwridden with value 0x00B2

[*] Setting values of general purpose registers to 0x5A5A5A5A5A5A5A5A

[*] reloading buffer with PTR at offset 0x0..
[*] writing 0x500 bytes at 0x0000000087773000 -> PTR at +0x0
[*] writing buffer at PA 0x0000000087772000 with 0x500 bytes '�'

[*] fuzzing SMI# 0x25 (data: 0x00)
 >> function (RCX): 0x0000000000000000
    RBX: 0x0000000087773000
    > SMI 25 (data: 00)
    < checking buffers
    contents changed at 0x0000000087773000 +[4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357, 358, 359, 360, 361, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 451, 452, 453, 454, 455, 456, 457, 458, 459, 460, 461, 462, 463, 464, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480, 481, 482, 483, 484, 485, 486, 487, 488, 489, 490, 491, 492, 493, 494, 495, 496, 497, 498, 499, 500, 501, 502, 503, 504, 505, 506, 507, 508, 509, 510, 511, 512, 513, 514, 515, 516, 517, 518, 519, 520, 521, 522, 523, 524, 525, 526, 527, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, 541, 542, 543, 544, 545, 546, 547, 548, 549, 550, 551, 552, 553, 554, 555, 556, 557, 558, 559, 560, 561, 562, 563, 564, 565, 566, 567, 568, 569, 570, 571, 572, 573, 574, 575, 576, 577, 578, 579, 580, 581, 582, 583, 584, 585, 586, 587, 588, 589, 590, 591, 592, 593, 594, 595, 596, 597, 598, 599, 600, 601, 602, 603, 604, 605, 606, 607, 608, 609, 610, 611, 612, 613, 614, 615, 616, 617, 618, 619, 620, 621, 622, 623, 624, 625, 626, 627, 628, 629, 630, 631, 632, 633, 634, 635, 636, 637, 638, 639, 640, 641, 642, 643, 644, 645, 646, 647, 648, 649, 650, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 661, 662, 663, 664, 665, 666, 667, 668, 669, 670, 671, 672, 673, 674, 675, 676, 677, 678, 679, 680, 681, 682, 683, 684, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 696, 697, 698, 699, 700, 701, 702, 703, 704, 705, 706, 707, 708, 709, 710, 711, 712, 713, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, 788, 789, 790, 791, 792, 793, 794, 795, 796, 797, 798, 799, 800, 801, 802, 803, 804, 805, 806, 807, 808, 809, 810, 811, 812, 813, 814, 815, 816, 817, 818, 819, 820, 821, 822, 823, 824, 825, 826, 827, 828, 829, 830, 831, 832, 833, 834, 835, 836, 837, 838, 839, 840, 841, 842, 843, 844, 845, 846, 847, 848, 849, 850, 851, 852, 853, 854, 855, 856, 857, 858, 859, 860, 861, 862, 863, 864, 865, 866, 867, 868, 869, 870, 871, 872, 873, 874, 875, 876, 877, 878, 879, 880, 881, 882, 883, 884, 885, 886, 887, 888, 889, 890, 891, 892, 893, 894, 895, 896, 897, 898, 899, 900, 901, 902, 903, 904, 905, 906, 907, 908, 909, 910, 911, 912, 913, 914, 915, 916, 917, 918, 919, 920, 921, 922, 923, 924, 925, 926, 927, 928, 929, 930, 931, 932, 933, 934, 935, 936, 937, 938, 939, 940, 941, 942, 943, 944, 945, 946, 947, 948, 949, 950, 951, 952, 953, 954, 955, 956, 957, 958, 959, 960, 961, 962, 963, 964, 965, 966, 967, 968, 969, 970, 971, 972, 973, 974, 975, 976, 977, 978, 979, 980, 981, 982, 983, 984, 985, 986, 987, 988, 989, 990, 991, 992, 993, 994, 995, 996, 997, 998, 999, 1000, 1001, 1002, 1003, 1004, 1005, 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1014, 1015, 1016, 1017, 1018, 1019, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1032, 1033, 1034, 1035, 1036, 1037, 1038, 1039, 1040, 1041, 1042, 1043, 1044, 1045, 1046, 1047, 1048, 1049, 1050, 1051, 1052, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065, 1066, 1067, 1068, 1069, 1070, 1071, 1072, 1073, 1074, 1075, 1076, 1077, 1078, 1079, 1080, 1081, 1082, 1083, 1084, 1085, 1086, 1087, 1088, 1089, 1090, 1091, 1092, 1093, 1094, 1095, 1096, 1097, 1098, 1099, 1100, 1101, 1102, 1103, 1104, 1105, 1106, 1107, 1108, 1109, 1110, 1111, 1112, 1113, 1114, 1115, 1116, 1117, 1118, 1119, 1120, 1121, 1122, 1123, 1124, 1125, 1126, 1127, 1128, 1129, 1130, 1131, 1132, 1133, 1134, 1135, 1136, 1137, 1138, 1139, 1140, 1141, 1142, 1143, 1144, 1145, 1146, 1147, 1148, 1149, 1150, 1151, 1152, 1153, 1154, 1155, 1156, 1157, 1158, 1159, 1160, 1161, 1162, 1163, 1164, 1165, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1188, 1189, 1190, 1191, 1192, 1193, 1194, 1195, 1196, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1206, 1207, 1208, 1209, 1210, 1211, 1212, 1213, 1214, 1215, 1216, 1217, 1218, 1219, 1220, 1221, 1222, 1223, 1224, 1225, 1226, 1227, 1228, 1229, 1230, 1231, 1232, 1233, 1234, 1235, 1236, 1237, 1238, 1239, 1240, 1241, 1242, 1243, 1244, 1245, 1246, 1247, 1248, 1249, 1250, 1251, 1252, 1253, 1254, 1255, 1256, 1257, 1258, 1259, 1260, 1261, 1262, 1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1278, 1279]
    restoring 0x500 bytes at 0x0000000087773000
[!] DETECTED: SMI# 25 data 0 (rax=5A5A5A5A5A5A5A5A rbx=87773000 rcx=0 rdx=5A5A5A5A5A5A5A5A rsi=5A5A5A5A5A5A5A5A rdi=5A5A5A5A5A5A5A5A)
[!] Potentially bad SMI detected! Stopped fuzing (see FUZZ_BAIL_ON_1ST_DETECT option)
[-] <<< Done: found 1 potential occurrences of unchecked input pointers

CLVA-2017-01-001 Timeline

  • Discovery Date: 2016-12-20
  • Vendor Notification Date: 2017-01-17
  • CERT/CC Contact Date: 2017-01-18
  • Vendor Acknowledgement Date: 2017-02-17
  • Patch Release Date: 2017-03-30
  • Public Disclosure Date: 2017-03-31
You can’t perform that action at this time.