Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-34853 PoC — Supermicro motherboards 缓冲区错误漏洞

Source
https://github.com/risuxx/CVE-2023-34853
Associated Vulnerability
Title:Supermicro motherboards 缓冲区错误漏洞 (CVE-2023-34853)
Description:Supermicro motherboards是美国美超微电脑(Supermicro)公司的一系列服务器主板。 Supermicro motherboards 存在安全漏洞,该漏洞源于存在缓冲区溢出漏洞,允许本地攻击者通过操纵SmcSecurityEraseSetupVar变量来劫持控制流。
Readme
# CVE-2023-34853
This repository is used to disclose some details about CVE-2023-34853. The vulnerability appears in Supermicro motherboard X12DPG-QR 1.4b and will be fixed in version 1.5.
In the SmcSecureErase file (GUID: 2B7C2FD1-C1CF-AB1D-C3BB-D1D691FB131E) within the BIOS firmware, there is a stack overflow vulnerability at offset 0x2CC2. 
The speculated code with the vulnerability is as follows: 
```c
char __fastcall sub_2C20(int *a1, unsigned __int64 a2) { char v4; // r12
  unsigned __int64 v6; // r15
  __int64 v7; // rbx
  unsigned __int64 v8; // rax
  char *v9; // rsi
  char *v10; // r13
  _WORD *v11; // rax
  char *v12; // rcx
  __int16 i; // dx
  __int64 v14; // rdx
  __int64 v15; // r8
  __int64 v16; // rdx
  __int64 v17; // r8
  __int16 *v18; // rcx
  _BYTE *v19; // rax
  __int64 v20; // rcx
  __int64 v21; // rax
  _BYTE *v22; // rax
  __int64 v23; // rcx
  __int64 v24; // rax
  __int64 v25; // rcx
  __int64 v26; // rdx
  unsigned __int8 v27; // cl
  unsigned __int64 v28; // r14
  unsigned __int8 v29; // r8
  __int64 v30; // rdx
  __int64 v31; // rax
  int v32; // edx
  __int64 v33; // rax
  char v34; // al
  _BYTE *v35; // [rsp+50h] [rbp-B0h] BYREF
  _BYTE *v36; // [rsp+58h] [rbp-A8h] BYREF
  _WORD *v37; // [rsp+60h] [rbp-A0h] BYREF
  __int64 v38; // [rsp+68h] [rbp-98h] BYREF
  __int64 v39[2]; // [rsp+70h] [rbp-90h] BYREF
  char v40[112]; // [rsp+80h] [rbp-80h] BYREF
  char v41[1680]; // [rsp+F0h] [rbp-10h] BYREF
  char v42[5376]; // [rsp+780h] [rbp+680h] BYREF
  char v44; // [rsp+1CA0h] [rbp+1BA0h]
  int v45; // [rsp+1CA8h] [rbp+1BA8h] BYREF
  v39[0] = 0i64;
  v44 = 0;
  v37 = 0i64;
  v4 = 0;
  if ( (*(__int64 (__fastcall **)(__int16 *, __int64 *, _QWORD, __int64 *,_QWORD))(gRT ->GetVariable))( aSmcsecurityera, &VendorGuid, 0i64, v39, 0i64) != 0x8000000000000005ui64 ) return 0;
  v6 = 0i64;
  v7 = (*(__int64 (__fastcall **)(__int16 *, __int64 *, _QWORD, __int64 *, char *))(gRT ->GetVariable))(aSmcsecurityera, &VendorGuid, 0i64, v39, v41); return v4; }
```
If "SmcSecurityEraseSetupVar" is set to a long string, the first call to GetVariable will modify v39 (DataSize) to the length of the string. Then, the second call to GetVariable will overwrite v41. This will result in a buffer overflow attack. An attacker who has local privileged access can take advantage of this vulnerability to increase privileges from ring 3 or ring 0 (depending on the operating system) to a DXE Runtime UEFI application and execute arbitrary code.

Finally, special thanks to Supermicro's security department for their continuous follow-up.
File Snapshot

 [4.0K]  /data/pocs/28636777165a99a7006b432429d7128061c6f3c7
└── [2.5K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.