UNISOC BootROM Privilege Escalation Vulnerability

A vulnerability in the UNISOC BootROM has been identified, allowing for local privilege escalation. This issue arises from an unchecked command index in the recovery mode, which can be exploited by an adversary with physical access to the device. The vulnerability could lead to arbitrary code execution within the BootROM context, potentially allowing for a persistent backdoor into the device's secure boot chain.

Impact

Exploitation of this vulnerability could result in unauthorized access to elevated privileges within the BootROM, undermining the device's secure boot process and potentially allowing for the installation of persistent, undetectable malware.

Reproduction

The vulnerability can be reproduced by sending a command with an index greater than 4 over USB or UART. This can be done by using the recovery mode, which is accessible by holding a specific button during power-up. Once in recovery mode, the unchecked command index can be exploited to execute arbitrary code within the BootROM.