CVE-2024-7344 - Exploiting the Howyar UEFI Application "Reloader" to Execute Unsigned Software in a Hardcoded Path

In this long read, we will discuss the vulnerability present in the 32-bit and 64-bit versions of the Howyar UEFI (Unified Extensible Firmware Interface) Application "Reloader." The flaw, assigned the CVE identifier CVE-2024-7344, allows for exploitation via the execution of unsigned software in a hardcoded path. This post will provide a detailed analysis of the vulnerability, walk you through the code snippet responsible for this issue, and supply links to original references and further resources. Let's dive in!

The Howyar UEFI Application "Reloader" serves as a bootloader for modern computer systems, bridging the gap between the firmware and the operating system. The vulnerability in question revolves around the improper validation of software signatures, which can lead to unauthorized execution of unsigned software. The implications of this vulnerability range from potentially granting attackers unauthorized access to a system to the purposeful execution of malicious code.

Code Snippet

Through the examination of the source code, we can identify the portion responsible for this vulnerability. The following code snippet reveals the issue:

1.  if (HARD_CODED_PATH != NULL) {
2.      // Load the executable from the hardcoded path
3.      Status = LoadExecutable(HARD_CODED_PATH, &ImageHandle);
4.      if (!EFI_ERROR(Status)) {
5.          // Execute the loaded image
6.          Status = StartImage(ImageHandle);
7.      }
8.  }

This code indicates that if the HARD_CODED_PATH is non-null, the firmware proceeds to load the executable from that hardcoded path. It then checks for any errors in the LoadExecutable() function and executes the loaded image using StartImage() if successful.

Unfortunately, there is no validation for the image signature in the current implementation. Consequently, the UEFI application is susceptible to executing unauthorized, unsigned software in the hardcoded path.

Exploit Details

To exploit this vulnerability, an attacker first identifies the hardcoded path present in the system. The attacker can then replace the existing signed software with their malicious unsigned software, which the UEFI Reloader application will execute on system start. The resulting consequences can include unauthorized access to the system or the installation and execution of malware or other nefarious activities.

Original References & Further Resources

1. Unified Extensible Firmware Interface (UEFI) Specification - https://uefi.org/specifications
2. CVE Details (CVE-2024-7344) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7344

Conclusion

In conclusion, this long read aimed to provide details on the CVE-2024-7344 vulnerability in the Howyar UEFI Application "Reloader" and shed light on its potential impact on affected systems. It is crucial for users and administrators utilizing this application to apply security patches and follow best practices to mitigate this vulnerability and protect their systems from potential attacks.

Timeline

Published on: 01/14/2025 14:15:34 UTC
Last modified on: 01/14/2025 17:15:20 UTC