lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 10 Dec 2007 21:11:31 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: Filesystem access in DOSBox 0.72


#######################################################################

                             Luigi Auriemma

Application:  DOSBox
              http://dosbox.sourceforge.net
Versions:     <= 0.72 and current CVS
Platforms:    Windows, Linux, *BSD and Mac
Bug:          access to the filesystem
Exploitation: local
Date:         10 Dec 2007
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


DOSBox is an excellent emulator for running software written for the
DOS environment like programs and games (moreover abandonware games
which are very used today).


#######################################################################

======
2) Bug
======


DOSBox acts as a virtual machine in which the filesystem is limited to
the folders that the user decides to mount as virtual drives and any
instruction is emulated within DOSBox without accessing the external
resources and memory.
So practically the emulated DOS program can work only inside this
"cage" (that's also why is possible to run viruses and malware without
problems for the system).

Anyway although these limitations exists a very simple way to gain
access to the entire real filesystem (so not only the virtual one)
because the MOUNT command used by DOSBox for mounting the real folders
as virtual drives can be called just by the same emulated program.

In short if the program executes system("mount x c:\"); it gains
read/write access to the C: disk where is then possible to modify
all the files on which the user has access (like for example placing
the execution of a program at the next reboot or substituiting a valid
executable with a custom one).

MOUNT is not the only DOSBox related command available (check the Z:
disk) but is the only one which has a real security impact if executed.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/dosboxxx.zip


#######################################################################

======
4) Fix
======


The developers don't think this can be considered a security problem
while in my opinion doing something outside the environment created by
the virtual machine must be considered a risk.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ