RE: [Bug 1313194] Re: Bochs Multiple Vulnerabilities
Is the CVE number 13131943? Just need to confirm. Thanks, Mollie -Original Message- From: boun...@canonical.com [mailto:boun...@canonical.com] On Behalf Of Dmitry Janushkevich Sent: Saturday, May 10, 2014 1:16 AM To: Microsoft Vulnerability Research Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities In reply to #10: Please feel free to do so. Just a note, though -- I am not affiliated with Bochs project in any way, just passing by. ;-) But as commits are now public, there is no point in holding the advisory, I guess. Thanks -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1313194 Title: Bochs Multiple Vulnerabilities Status in “bochs” package in Ubuntu: Incomplete Bug description: MSVR Vulnerability Report Discovered by: Jeremy Brown (jerbrown) of ReSP Date: 06-17-2013 Title: Bochs Multiple Vulnerabilities Product: Bochs PC Emulator Version: 2.6.2 (latest) URL: http://bochs.sourceforge.net Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/ Repro File(s): repro1.bxrc, repro2.bxrc Product Description Bochs is a highly portable open source IA-32 (x86) PC emulator written in C++, that runs on most popular platforms. It includes emulation of the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be compiled to emulate many different x86 CPUs, from early 386 to the most recent x86-64 Intel and AMD processors which may even not reached the market yet. Vulnerability Description Two vulnerabilities were found in Bochs’s parsing of bxrc files (configuration), a format string vulnerability and a stack corruption vulnerability. Both of these could potentially allow an attacker to execute arbitrary code in the context of the user running Bochs. Technical Details I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one is a format string vulnerability (repro1.bxrc) when boches parses the “floppya” field: The second vulnerability (repro2.bxrc) occurs boches parses the “romimage” field. See debugging output below for more info. Debugging (repro2.bxrc, Stack Corruption) STATUS_STACK_BUFFER_OVERRUN encountered (10c4.1ee8): Break instruction exception - code 8003 (first chance) *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll - *** WARNING: Unable to verify checksum for image0040 *** ERROR: Module load completed but symbols could not be loaded for image0040 eax= ebx=0001 ecx=7535beec edx=002b esi= edi= eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0246 KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3: 753d1d1a cc int 3 0:000> kv ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0013f2b8 00625f00 006d5144 73bb7ca5 8c44835a KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3 0013f5ec 0040525e 0002 image0040+0x225f00 0013f6c8 7783b49a 01fb0e10 01fcf204 7783b59b image0040+0x525e 0013f6f8 7783b0a1 c7e382ef 0018 ntdll!RtlLogStackBackTrace+0x66d 0013f7b0 006268c4 0013f814 0013f7dc ntdll!RtlLogStackBackTrace+0x274 0013f7c0 0062e6de 0013f814 04a62f28 043cbde0 image0040+0x2268c4 0013f7e0 00625b11 00723c38 0013fae1 image0040+0x22e6de 0013f7f0 00625b9d 7783fbcd 043c image0040+0x225b11 0013fae1 00656761 6c696620 42243d65 41485358 image0040+0x225b9d 0013fae5 6c696620 42243d65 41485358 422f4552 image0040+0x256761 0013fae9 42243d65 41485358 422f4552 2d534f49 0x6c696620 0013faed 41485358 422f4552 2d534f49 68636f62 0x42243d65 0013faf1 422f4552 2d534f49 68636f62 616c2d73 0x41485358 0013faf5 2d534f49 68636f62 616c2d73 74736574 0x422f4552 0013faf9 68636f62 616c2d73 74736574 6970616d 0x2d534f49 0013fafd 616c2d73 74736574 6970616d 422f2f3a 0x68636f62 0013fb01 74736574 6970616d 422f2f3a 42424242 0x616c2d73 0013fb05 6970616d 422f2f3a 42424242 42424242 0x74736574 0013fb09 422f2f3a 42424242 42424242 42424242 0x6970616d 0013fb0d 42424242 42424242 42424242 42424242 0x422f2f3a 0013fb11 42424242 42424242 42424242 42424242 0x42424242 0013fb15 42424242 42424242 42424242 42424242 0x42424242 0013fb19 42424242 42424242 42424242 42424242 0x42424242 0013fb1d 42424242 42424242 42424242 42424242 0x42424242 0013fb21 42424242 42424242 42424242 42424242 0x42424242 0013fb25 42424242 42424242 42424242 42424242 0x42424242 0013fb29 42424242 42424242 42424242 42424242 0x42424242 0013fb2d 42424242 42424242 42424242 42424242 0x42424242 0013fb31 42424242 42424242 42424242 42424242 0x42424242 0013fb35 42424242 42424242 42424242 42424242 0x42424242 0013fb39 42424242 42424
[Bug 1313194] Re: Bochs Multiple Vulnerabilities
Hello, Could someone tell me if Microsoft is clear for releasing an advisory on this? We would like to acknowledge our finder (without releasing full details) on our acknowledgements page. Thanks! Mollie -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1313194 Title: Bochs Multiple Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bochs/+bug/1313194/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
RE: [Bug 1313194] Re: Bochs Multiple Vulnerabilities
Thanks so much! Can you clear us for releasing an advisory on this issue acknowledging our finder? Mollie -Original Message- From: boun...@canonical.com [mailto:boun...@canonical.com] On Behalf Of Dmitry Janushkevich Sent: Tuesday, May 6, 2014 5:00 AM To: Microsoft Vulnerability Research Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities Reportedly fixed by upstream via the two commits. #1: http://sourceforge.net/p/bochs/code/12305/ #2: http://sourceforge.net/p/bochs/code/12301/ Would be nice if the reporter could verify the fixes. -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1313194 Title: Bochs Multiple Vulnerabilities Status in “bochs” package in Ubuntu: Incomplete Bug description: MSVR Vulnerability Report Discovered by: Jeremy Brown (jerbrown) of ReSP Date: 06-17-2013 Title: Bochs Multiple Vulnerabilities Product: Bochs PC Emulator Version: 2.6.2 (latest) URL: http://bochs.sourceforge.net Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/ Repro File(s): repro1.bxrc, repro2.bxrc Product Description Bochs is a highly portable open source IA-32 (x86) PC emulator written in C++, that runs on most popular platforms. It includes emulation of the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be compiled to emulate many different x86 CPUs, from early 386 to the most recent x86-64 Intel and AMD processors which may even not reached the market yet. Vulnerability Description Two vulnerabilities were found in Bochs’s parsing of bxrc files (configuration), a format string vulnerability and a stack corruption vulnerability. Both of these could potentially allow an attacker to execute arbitrary code in the context of the user running Bochs. Technical Details I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one is a format string vulnerability (repro1.bxrc) when boches parses the “floppya” field: The second vulnerability (repro2.bxrc) occurs boches parses the “romimage” field. See debugging output below for more info. Debugging (repro2.bxrc, Stack Corruption) STATUS_STACK_BUFFER_OVERRUN encountered (10c4.1ee8): Break instruction exception - code 8003 (first chance) *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll - *** WARNING: Unable to verify checksum for image0040 *** ERROR: Module load completed but symbols could not be loaded for image0040 eax= ebx=0001 ecx=7535beec edx=002b esi= edi= eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0246 KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3: 753d1d1a cc int 3 0:000> kv ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0013f2b8 00625f00 006d5144 73bb7ca5 8c44835a KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3 0013f5ec 0040525e 0002 image0040+0x225f00 0013f6c8 7783b49a 01fb0e10 01fcf204 7783b59b image0040+0x525e 0013f6f8 7783b0a1 c7e382ef 0018 ntdll!RtlLogStackBackTrace+0x66d 0013f7b0 006268c4 0013f814 0013f7dc ntdll!RtlLogStackBackTrace+0x274 0013f7c0 0062e6de 0013f814 04a62f28 043cbde0 image0040+0x2268c4 0013f7e0 00625b11 00723c38 0013fae1 image0040+0x22e6de 0013f7f0 00625b9d 7783fbcd 043c image0040+0x225b11 0013fae1 00656761 6c696620 42243d65 41485358 image0040+0x225b9d 0013fae5 6c696620 42243d65 41485358 422f4552 image0040+0x256761 0013fae9 42243d65 41485358 422f4552 2d534f49 0x6c696620 0013faed 41485358 422f4552 2d534f49 68636f62 0x42243d65 0013faf1 422f4552 2d534f49 68636f62 616c2d73 0x41485358 0013faf5 2d534f49 68636f62 616c2d73 74736574 0x422f4552 0013faf9 68636f62 616c2d73 74736574 6970616d 0x2d534f49 0013fafd 616c2d73 74736574 6970616d 422f2f3a 0x68636f62 0013fb01 74736574 6970616d 422f2f3a 42424242 0x616c2d73 0013fb05 6970616d 422f2f3a 42424242 42424242 0x74736574 0013fb09 422f2f3a 42424242 42424242 42424242 0x6970616d 0013fb0d 42424242 42424242 42424242 42424242 0x422f2f3a 0013fb11 42424242 42424242 42424242 42424242 0x42424242 0013fb15 42424242 42424242 42424242 42424242 0x42424242 0013fb19 42424242 42424242 42424242 42424242 0x42424242 0013fb1d 42424242 42424242 42424242 42424242 0x42424242 0013fb21 42424242 42424242 42424242 42424242 0x42424242 0013fb25 42424242 42424242 42424242 42424242 0x42424242 0013fb29 42424242 42424242 42424242 42424242 0x42424242 0013fb2d 42424242 42424242 42424242 42424242 0x42424242 0013fb31 42424242 42424242 42424242 42424242 0x42424242 0013fb35 42424242 42424242 42424242 42424242 0x42424242 0013fb39 42424
RE: [Bug 1313194] Re: Bochs Multiple Vulnerabilities
Hello there! Thanks much for taking a look at this, very much appreciated. More info attached. No CVE as yet, though I'd love to get one. Have been attempting to contact Bochs for months. Mollie -Original Message- From: boun...@canonical.com [mailto:boun...@canonical.com] On Behalf Of Seth Arnold Sent: Monday, April 28, 2014 11:04 PM To: Microsoft Vulnerability Research Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities Mollie, thanks for forwarding this report; do you know if the issue is strictly a matter of properly constructed image file or is this something that could be influenced from "inside" the system being emulated? Do you know if the example PoC files are available? Do you know if this has been reported to upstream Bochs developers? Do you know if any CVE numbers have been assigned? Thanks ** Information type changed from Private Security to Public Security -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1313194 Title: Bochs Multiple Vulnerabilities Status in “bochs” package in Ubuntu: New Bug description: MSVR Vulnerability Report Discovered by: Jeremy Brown (jerbrown) of ReSP Date: 06-17-2013 Title: Bochs Multiple Vulnerabilities Product: Bochs PC Emulator Version: 2.6.2 (latest) URL: http://bochs.sourceforge.net Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/ Repro File(s): repro1.bxrc, repro2.bxrc Product Description Bochs is a highly portable open source IA-32 (x86) PC emulator written in C++, that runs on most popular platforms. It includes emulation of the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be compiled to emulate many different x86 CPUs, from early 386 to the most recent x86-64 Intel and AMD processors which may even not reached the market yet. Vulnerability Description Two vulnerabilities were found in Bochs’s parsing of bxrc files (configuration), a format string vulnerability and a stack corruption vulnerability. Both of these could potentially allow an attacker to execute arbitrary code in the context of the user running Bochs. Technical Details I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one is a format string vulnerability (repro1.bxrc) when boches parses the “floppya” field: The second vulnerability (repro2.bxrc) occurs boches parses the “romimage” field. See debugging output below for more info. Debugging (repro2.bxrc, Stack Corruption) STATUS_STACK_BUFFER_OVERRUN encountered (10c4.1ee8): Break instruction exception - code 8003 (first chance) *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll - *** WARNING: Unable to verify checksum for image0040 *** ERROR: Module load completed but symbols could not be loaded for image0040 eax= ebx=0001 ecx=7535beec edx=002b esi= edi= eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0246 KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3: 753d1d1a cc int 3 0:000> kv ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0013f2b8 00625f00 006d5144 73bb7ca5 8c44835a KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3 0013f5ec 0040525e 0002 image0040+0x225f00 0013f6c8 7783b49a 01fb0e10 01fcf204 7783b59b image0040+0x525e 0013f6f8 7783b0a1 c7e382ef 0018 ntdll!RtlLogStackBackTrace+0x66d 0013f7b0 006268c4 0013f814 0013f7dc ntdll!RtlLogStackBackTrace+0x274 0013f7c0 0062e6de 0013f814 04a62f28 043cbde0 image0040+0x2268c4 0013f7e0 00625b11 00723c38 0013fae1 image0040+0x22e6de 0013f7f0 00625b9d 7783fbcd 043c image0040+0x225b11 0013fae1 00656761 6c696620 42243d65 41485358 image0040+0x225b9d 0013fae5 6c696620 42243d65 41485358 422f4552 image0040+0x256761 0013fae9 42243d65 41485358 422f4552 2d534f49 0x6c696620 0013faed 41485358 422f4552 2d534f49 68636f62 0x42243d65 0013faf1 422f4552 2d534f49 68636f62 616c2d73 0x41485358 0013faf5 2d534f49 68636f62 616c2d73 74736574 0x422f4552 0013faf9 68636f62 616c2d73 74736574 6970616d 0x2d534f49 0013fafd 616c2d73 74736574 6970616d 422f2f3a 0x68636f62 0013fb01 74736574 6970616d 422f2f3a 42424242 0x616c2d73 0013fb05 6970616d 422f2f3a 42424242 42424242 0x74736574 0013fb09 422f2f3a 42424242 42424242 42424242 0x6970616d 0013fb0d 42424242 42424242 42424242 42424242 0x422f2f3a 0013fb11 42424242 42424242 42424242 42424242 0x42424242 0013fb15 42424242 42424242 42424242 42424242 0x42424242 0013fb19 42424242 42424242 42424242 42424242 0x42424242 0013fb1d 42424242 42424242 42424242 42424242 0x42424242 0013fb21
RE: [Bug 1313194] Re: Bochs Multiple Vulnerabilities
>From finder: I don’t think this could be triggered from within the emulated system (eg. guest-to-host escape), but I didn’t look further into that. Its primary attack vector that I describe in the report is loading a guest with a malformed bxrc file, which may be what he’s indirectly referring to as the image file. Mollie -Original Message- From: boun...@canonical.com [mailto:boun...@canonical.com] On Behalf Of Seth Arnold Sent: Monday, April 28, 2014 11:04 PM To: Microsoft Vulnerability Research Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities Mollie, thanks for forwarding this report; do you know if the issue is strictly a matter of properly constructed image file or is this something that could be influenced from "inside" the system being emulated? Do you know if the example PoC files are available? Do you know if this has been reported to upstream Bochs developers? Do you know if any CVE numbers have been assigned? Thanks ** Information type changed from Private Security to Public Security -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1313194 Title: Bochs Multiple Vulnerabilities Status in “bochs” package in Ubuntu: New Bug description: MSVR Vulnerability Report Discovered by: Jeremy Brown (jerbrown) of ReSP Date: 06-17-2013 Title: Bochs Multiple Vulnerabilities Product: Bochs PC Emulator Version: 2.6.2 (latest) URL: http://bochs.sourceforge.net Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/ Repro File(s): repro1.bxrc, repro2.bxrc Product Description Bochs is a highly portable open source IA-32 (x86) PC emulator written in C++, that runs on most popular platforms. It includes emulation of the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be compiled to emulate many different x86 CPUs, from early 386 to the most recent x86-64 Intel and AMD processors which may even not reached the market yet. Vulnerability Description Two vulnerabilities were found in Bochs’s parsing of bxrc files (configuration), a format string vulnerability and a stack corruption vulnerability. Both of these could potentially allow an attacker to execute arbitrary code in the context of the user running Bochs. Technical Details I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one is a format string vulnerability (repro1.bxrc) when boches parses the “floppya” field: The second vulnerability (repro2.bxrc) occurs boches parses the “romimage” field. See debugging output below for more info. Debugging (repro2.bxrc, Stack Corruption) STATUS_STACK_BUFFER_OVERRUN encountered (10c4.1ee8): Break instruction exception - code 8003 (first chance) *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll - *** WARNING: Unable to verify checksum for image0040 *** ERROR: Module load completed but symbols could not be loaded for image0040 eax= ebx=0001 ecx=7535beec edx=002b esi= edi= eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0246 KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3: 753d1d1a cc int 3 0:000> kv ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0013f2b8 00625f00 006d5144 73bb7ca5 8c44835a KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3 0013f5ec 0040525e 0002 image0040+0x225f00 0013f6c8 7783b49a 01fb0e10 01fcf204 7783b59b image0040+0x525e 0013f6f8 7783b0a1 c7e382ef 0018 ntdll!RtlLogStackBackTrace+0x66d 0013f7b0 006268c4 0013f814 0013f7dc ntdll!RtlLogStackBackTrace+0x274 0013f7c0 0062e6de 0013f814 04a62f28 043cbde0 image0040+0x2268c4 0013f7e0 00625b11 00723c38 0013fae1 image0040+0x22e6de 0013f7f0 00625b9d 7783fbcd 043c image0040+0x225b11 0013fae1 00656761 6c696620 42243d65 41485358 image0040+0x225b9d 0013fae5 6c696620 42243d65 41485358 422f4552 image0040+0x256761 0013fae9 42243d65 41485358 422f4552 2d534f49 0x6c696620 0013faed 41485358 422f4552 2d534f49 68636f62 0x42243d65 0013faf1 422f4552 2d534f49 68636f62 616c2d73 0x41485358 0013faf5 2d534f49 68636f62 616c2d73 74736574 0x422f4552 0013faf9 68636f62 616c2d73 74736574 6970616d 0x2d534f49 0013fafd 616c2d73 74736574 6970616d 422f2f3a 0x68636f62 0013fb01 74736574 6970616d 422f2f3a 42424242 0x616c2d73 0013fb05 6970616d 422f2f3a 42424242 42424242 0x74736574 0013fb09 422f2f3a 42424242 42424242 42424242 0x6970616d 0013fb0d 42424242 42424242 42424242 42424242 0x422f2f3a 0013fb11 42424242 42424242 42424242 42424242 0x42424242 0013fb15 42424242 42424242 42424242 42424242 0x42424242 0
[Bug 1313194] Re: Bochs Multiple Vulnerabilities
Response from our finder: I’ve saw that they’re replied to this bug and deemed it not a security issue. I don’t agree with that, as their reason is they’re saying bxrc is a config file. Of course it is, but it’s part of the packaging for a virtual machine. Example: If I packaged up a test.img with a malicious test.bxrc, got an user to download my TestOS package and run it in Bochs, the target could be exploited. I don’t see much difference between a VMware VMX file and a Bochs BXRC file, both are vm config files and if these issues were present VMware’s parsing of a VMX file, they’d treat it (as they have in the past) as a serious security issue: http://osvdb.com/search/search?search%5Bvuln_title%5D=vmware+vmx&search%5Btext_type%5D=alltext&search%5Brefid%5D=&search%5Breferencetypes%5D=&kthx=search -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1313194 Title: Bochs Multiple Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bochs/+bug/1313194/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1313194] Re: Bochs Multiple Vulnerabilities
Here's another try at the PoC: ** Attachment added: "1313194" https://bugs.launchpad.net/ubuntu/+source/bochs/+bug/1313194/+attachment/4103888/+files/MSVR%20Vulnerability%20Report%20Bochs%20Multiple%20Vulnerabilities.docx -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1313194 Title: Bochs Multiple Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bochs/+bug/1313194/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
RE: [Bug 1313194] Re: Bochs Multiple Vulnerabilities
Security researcher acknowledgement Hello, I'm writing to let you know that the security researcher acknowledgement for the issue we recently reported to you is now up at http://technet.microsoft.com/en-US/dn613815 Thank you again for tending to our report in a timely manner. Mollie MSVR -Original Message- From: boun...@canonical.com [mailto:boun...@canonical.com] On Behalf Of Seth Arnold Sent: Friday, May 9, 2014 3:25 PM To: Microsoft Vulnerability Research Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities Mollie, please feel free to publish, however I still believe that someone who does not inspect a .bxrc before using it is running larger risks due to the intentional features of the file format rather than the unintentional bugs found and disclosed here. The similar report on OSVDB for VMWare Player expresses a similar sentiment: EMC VMware Player contains a flaw that may allow a local denial of service. The issue is triggered when a user loads a .vmx file containing an ide1:0.fileName parameter with an overly long value, and will result in loss of availability for the the VMware instace. However, for an attacker to gain access and edit the .vmx file, it would require a level of access that would allow a wide variety of attacks. This level of access is considered to be trusted and not readily available to someone looking to launch this type of attack. >From http://osvdb.com/show/osvdb/27524. Thanks -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1313194 Title: Bochs Multiple Vulnerabilities Status in “bochs” package in Ubuntu: Incomplete Bug description: MSVR Vulnerability Report Discovered by: Jeremy Brown (jerbrown) of ReSP Date: 06-17-2013 Title: Bochs Multiple Vulnerabilities Product: Bochs PC Emulator Version: 2.6.2 (latest) URL: http://bochs.sourceforge.net Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/ Repro File(s): repro1.bxrc, repro2.bxrc Product Description Bochs is a highly portable open source IA-32 (x86) PC emulator written in C++, that runs on most popular platforms. It includes emulation of the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be compiled to emulate many different x86 CPUs, from early 386 to the most recent x86-64 Intel and AMD processors which may even not reached the market yet. Vulnerability Description Two vulnerabilities were found in Bochs’s parsing of bxrc files (configuration), a format string vulnerability and a stack corruption vulnerability. Both of these could potentially allow an attacker to execute arbitrary code in the context of the user running Bochs. Technical Details I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one is a format string vulnerability (repro1.bxrc) when boches parses the “floppya” field: The second vulnerability (repro2.bxrc) occurs boches parses the “romimage” field. See debugging output below for more info. Debugging (repro2.bxrc, Stack Corruption) STATUS_STACK_BUFFER_OVERRUN encountered (10c4.1ee8): Break instruction exception - code 8003 (first chance) *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll - *** WARNING: Unable to verify checksum for image0040 *** ERROR: Module load completed but symbols could not be loaded for image0040 eax= ebx=0001 ecx=7535beec edx=002b esi= edi= eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0246 KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3: 753d1d1a cc int 3 0:000> kv ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0013f2b8 00625f00 006d5144 73bb7ca5 8c44835a KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3 0013f5ec 0040525e 0002 image0040+0x225f00 0013f6c8 7783b49a 01fb0e10 01fcf204 7783b59b image0040+0x525e 0013f6f8 7783b0a1 c7e382ef 0018 ntdll!RtlLogStackBackTrace+0x66d 0013f7b0 006268c4 0013f814 0013f7dc ntdll!RtlLogStackBackTrace+0x274 0013f7c0 0062e6de 0013f814 04a62f28 043cbde0 image0040+0x2268c4 0013f7e0 00625b11 00723c38 0013fae1 image0040+0x22e6de 0013f7f0 00625b9d 7783fbcd 043c image0040+0x225b11 0013fae1 00656761 6c696620 42243d65 41485358 image0040+0x225b9d 0013fae5 6c696620 42243d65 41485358 422f4552 image0040+0x256761 0013fae9 42243d65 41485358 422f4552 2d534f49 0x6c696620 0013faed 41485358 422f4552 2d534f49 68636f62 0x42243d65 0013faf1 422f4552 2d534f49 68636f62 616c2d73 0x41485358 0013faf5 2d534f49 68636f62 616c2d73 74736574 0x422f4552 0013fa
