Show Notes

158 - i.MX Secure Boot Bypass and a Hancom Office Underflow

When a docx parser encounters an end element, it assumes the pointer to the start element is already available and attempts to operate on it, leading to an out of bounds access immediate before the buffer.

What Talos found here was that when Hancom Office 2020 Hword was provided a malformed docx with a </w:p> before any opening <w:p> tag the parser would assume opening tag was already parsed and attempt to access it, then call one of the object’s methods. With some heap grooming an attacker could potential gain control of the pointer in memory where Hword expects the start object to be and obtain an arbitrary call primitive.

A post by NCCGroup which covers an older vulnerability in NXP .iMX High Assurance Boot (HAB). A bit of background is helpful for understanding the bug and it’s impact.

Background The idea behind High Assurance Boot is that all software running on the SOC is verified by the root of trust, starting with the bootROM. The second stage boot image (u-boot) relies on two files read from non-volatile storage (NVS), the Device Configuration Data (DCD) and the Command Sequence File (CSF). While these files are signed and validated eventually, it seems some commands are executed using the DCD/CSF before they’re verified in the u-boot Secondary Program Loader (SPL).

Vulnerability While the fact that there’s a window where unvalidated data can be used and read from the DCD and CSF for reads/writes is design issue in and of itself, an allow-list is enforced to try to restrict writes to peripheral register regions only necessary for supporting boot time configuration. The problem is, this allow-list also permits writes to the memory region the second stage loader is executing from. An attacker can thus modify the executing loader and patch authentication failure handling logic or insert other unauthorized code to run. It’s worth noting you would need the ability to write to NVS as an attacker, so impact is limited; but it’s still valid considering the threat model for root of trust and trying to prevent unauthorized code from attackers with physical access or high level software access.

} }