Bitdefender Napoca Hypervisor Out-of-Bounds Write Vulnerability in BIOS INT 0x15 E820 Memory Map Handler

An out-of-bounds write vulnerability has been identified in the Bitdefender Napoca bare-metal hypervisor. The issue arises in the BIOS INT 0x15 / E820 memory map handler, where the destination offset for writing into the guest RealModeMemory buffer is calculated based on guest-controlled register values. This calculation lacks proper validation, allowing a malicious guest operating in real mode to write up to 20 bytes beyond the allocated 1MB RealModeMemory limit, into the hypervisor heap. The vulnerability can be triggered by invoking INT 0x15 with specific register values, including AX=0xE820, EDX=0x534D4150, ECX of 20 or more, EBX=0, ES=0xFFFF, and EDI=0xFFFF.

Impact

Exploitation of this vulnerability leads to an out-of-bounds write, causing data to be written into the hypervisor heap beyond the allocated memory buffer.

Reproduction

To reproduce this vulnerability, a guest operating in real mode must invoke BIOS interrupt 0x15 with the AX register set to 0xE820. The EDX register should be set to 0x534D4150, indicating a request for memory map information. The ECX register must be set to 20 or greater, while the EBX register should be 0. The ES register must be set to 0xFFFF, and the EDI register to 0xFFFF. This combination of register values will trigger the out-of-bounds write vulnerability by overwriting hypervisor heap memory.