Show Notes

198 - TOCTOUs in Intel SMM and Shannon Baseband Bugs

Effectively, a double-fetch vulnerability in Intel SMM’s SMI handler that could allow a local attacker to escelate into System manage Mode. It recieves a CommBuffer that contains a Data pointer and a size value. This data is attacker controlled, so the first thing it does is some bounds checking to ensure that the buffer entirely stays within user memory and doesn’t point into SMRAM (the SMM’s memory).

Once this check has passed, it creates a local copy of the data and proceeds to find the correct handler for the command. The SPI_FUNCTION_FLASH_READ handler ends up using the Data pointer from the external user-controlled buffer, meaning an attack could modify the pointer between the bounds check being performed and the actual useage of it in the command handler, allowing them to point the buffer or expand the buffer size into SMM memory and corrupt it.

Three hard to exploit (beyond denial of service) out-of-bounds read vulnerabilities in MIT Kerberos V5 but each with a bit of an interest cause.

First issue was in get_mech_set would parse a DER-encoded sequence and return a list of OIDs. In doing so it would iterate over the sequence using i as the iterator. If it was successfully able to parse out the OID, it would end up accessing the returned_mechSet->elements[i].length value, if it was unsuccessful it would just skip this access and continue on. However, if it was unsuccessful, elements[i] wouldn’t end up being created/added, i as the iterator for the for loop would be incremented all the same though. So the next run, if it was successful the number of elements in elements would be off from the index the loop is trying to access. Provide multiple failed instances and the index will go far beyond the actual bounds.

The second and third issues have very similar root causes, atleast at the logical level, and both happen ing_verify_neg_token_init. As with the first issue, it is parsing DER encoded data. In both cases, it reads a value from the buffer, increments the buffer forward, but does not adjust the value that reflects the remaining buffer. For the second issue this happens when the length of the item is zero, which is valid for DER encoded entities, For the third issue, it reads the type/tag byte and doesn’t decrement the remaining space.

This was a fun authorization check bypass because when checking if higher privileges were needed the flag value was checked for equality with the two privileged actions. Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set. So a value with a unused bit set could have the privileged action bit set, without being exactly equal to the privileged act.

This also allowed an attacker to hit a use-after-free situation, utimately caused by two different locks being used to control access to the same object.

This was a fun authorization check bypass because when checking if higher privileges were needed the flag value was checked for equality with the two privileged actions. Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set. So a value with a unused bit set could have the privileged action bit set, without being exactly equal to the privileged act.

This also allowed an attacker to hit a use-after-free situation, utimately caused by two different locks being used to control access to the same object.