>From finder: I don’t think this could be triggered from within the emulated system (eg. guest-to-host escape), but I didn’t look further into that. Its primary attack vector that I describe in the report is loading a guest with a malformed bxrc file, which may be what he’s indirectly referring to as the image file.
Mollie -----Original Message----- From: boun...@canonical.com [mailto:boun...@canonical.com] On Behalf Of Seth Arnold Sent: Monday, April 28, 2014 11:04 PM To: Microsoft Vulnerability Research Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities Mollie, thanks for forwarding this report; do you know if the issue is strictly a matter of properly constructed image file or is this something that could be influenced from "inside" the system being emulated? Do you know if the example PoC files are available? Do you know if this has been reported to upstream Bochs developers? Do you know if any CVE numbers have been assigned? Thanks ** Information type changed from Private Security to Public Security -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1313194 Title: Bochs Multiple Vulnerabilities Status in “bochs” package in Ubuntu: New Bug description: MSVR Vulnerability Report Discovered by: Jeremy Brown (jerbrown) of ReSP Date: 06-17-2013 Title: Bochs Multiple Vulnerabilities Product: Bochs PC Emulator Version: 2.6.2 (latest) URL: http://bochs.sourceforge.net Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/ Repro File(s): repro1.bxrc, repro2.bxrc Product Description Bochs is a highly portable open source IA-32 (x86) PC emulator written in C++, that runs on most popular platforms. It includes emulation of the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be compiled to emulate many different x86 CPUs, from early 386 to the most recent x86-64 Intel and AMD processors which may even not reached the market yet. Vulnerability Description Two vulnerabilities were found in Bochs’s parsing of bxrc files (configuration), a format string vulnerability and a stack corruption vulnerability. Both of these could potentially allow an attacker to execute arbitrary code in the context of the user running Bochs. Technical Details I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one is a format string vulnerability (repro1.bxrc) when boches parses the “floppya” field: The second vulnerability (repro2.bxrc) occurs boches parses the “romimage” field. See debugging output below for more info. Debugging (repro2.bxrc, Stack Corruption) STATUS_STACK_BUFFER_OVERRUN encountered (10c4.1ee8): Break instruction exception - code 80000003 (first chance) *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll - *** WARNING: Unable to verify checksum for image00400000 *** ERROR: Module load completed but symbols could not be loaded for image00400000 eax=00000000 ebx=00000001 ecx=7535beec edx=0000002b esi=00000000 edi=00000000 eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3: 753d1d1a cc int 3 0:000> kv ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0013f2b8 00625f00 006d5144 73bb7ca5 8c44835a KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3 0013f5ec 0040525e 00000000 00000002 00000000 image00400000+0x225f00 0013f6c8 7783b49a 01fb0e10 01fcf204 7783b59b image00400000+0x525e 0013f6f8 7783b0a1 c7e382ef 00180000 00000000 ntdll!RtlLogStackBackTrace+0x66d 0013f7b0 006268c4 0013f814 00000000 0013f7dc ntdll!RtlLogStackBackTrace+0x274 0013f7c0 0062e6de 0013f814 04a62f28 043cbde0 image00400000+0x2268c4 0013f7e0 00625b11 00000000 00723c38 0013fae1 image00400000+0x22e6de 0013f7f0 00625b9d 7783fbcd 043c0000 00000000 image00400000+0x225b11 0013fae1 00656761 6c696620 42243d65 41485358 image00400000+0x225b9d 0013fae5 6c696620 42243d65 41485358 422f4552 image00400000+0x256761 0013fae9 42243d65 41485358 422f4552 2d534f49 0x6c696620 0013faed 41485358 422f4552 2d534f49 68636f62 0x42243d65 0013faf1 422f4552 2d534f49 68636f62 616c2d73 0x41485358 0013faf5 2d534f49 68636f62 616c2d73 74736574 0x422f4552 0013faf9 68636f62 616c2d73 74736574 6970616d 0x2d534f49 0013fafd 616c2d73 74736574 6970616d 422f2f3a 0x68636f62 0013fb01 74736574 6970616d 422f2f3a 42424242 0x616c2d73 0013fb05 6970616d 422f2f3a 42424242 42424242 0x74736574 0013fb09 422f2f3a 42424242 42424242 42424242 0x6970616d 0013fb0d 42424242 42424242 42424242 42424242 0x422f2f3a 0013fb11 42424242 42424242 42424242 42424242 0x42424242 0013fb15 42424242 42424242 42424242 42424242 0x42424242 0013fb19 42424242 42424242 42424242 42424242 0x42424242 0013fb1d 42424242 42424242 42424242 42424242 0x42424242 0013fb21 42424242 42424242 42424242 42424242 0x42424242 0013fb25 42424242 42424242 42424242 42424242 0x42424242 0013fb29 42424242 42424242 42424242 42424242 0x42424242 0013fb2d 42424242 42424242 42424242 42424242 0x42424242 0013fb31 42424242 42424242 42424242 42424242 0x42424242 0013fb35 42424242 42424242 42424242 42424242 0x42424242 0013fb39 42424242 42424242 42424242 42424242 0x42424242 0013fb3d 42424242 42424242 42424242 42424242 0x42424242 0013fb41 42424242 42424242 42424242 42424242 0x42424242 0013fb45 42424242 42424242 42424242 42424242 0x42424242 0013fb49 42424242 42424242 42424242 42424242 0x42424242 0013fb4d 42424242 42424242 42424242 42424242 0x42424242 0013fb51 42424242 42424242 42424242 42424242 0x42424242 0013fb55 42424242 42424242 42424242 42424242 0x42424242 0013fb59 42424242 42424242 42424242 42424242 0x42424242 0013fb5d 42424242 42424242 42424242 42424242 0x42424242 0013fb61 42424242 42424242 42424242 42424242 0x42424242 0013fb65 42424242 42424242 42424242 42424242 0x42424242 0013fb69 42424242 42424242 42424242 42424242 0x42424242 0013fb6d 42424242 42424242 42424242 42424242 0x42424242 0013fb71 42424242 42424242 42424242 42424242 0x42424242 0013fb75 42424242 42424242 42424242 42424242 0x42424242 0013fb79 42424242 42424242 42424242 42424242 0x42424242 0013fb7d 42424242 42424242 42424242 42424242 0x42424242 0013fb81 42424242 42424242 42424242 42424242 0x42424242 0013fb85 42424242 42424242 42424242 42424242 0x42424242 0013fb89 42424242 42424242 42424242 42424242 0x42424242 0013fb8d 42424242 42424242 42424242 42424242 0x42424242 0013fb91 42424242 42424242 42424242 42424242 0x42424242 0013fb95 42424242 42424242 42424242 42424242 0x42424242 0013fb99 42424242 42424242 42424242 42424242 0x42424242 0013fb9d 42424242 42424242 42424242 42424242 0x42424242 0013fba1 42424242 42424242 42424242 42424242 0x42424242 0013fba5 42424242 42424242 42424242 42424242 0x42424242 0013fba9 42424242 42424242 42424242 42424242 0x42424242 0013fbad 42424242 42424242 42424242 42424242 0x42424242 0013fbb1 42424242 42424242 42424242 42424242 0x42424242 0013fbb5 42424242 42424242 42424242 42424242 0x42424242 0013fbb9 42424242 42424242 42424242 42424242 0x42424242 0013fbbd 42424242 42424242 42424242 42424242 0x42424242 0013fbc1 42424242 42424242 42424242 42424242 0x42424242 0013fbc5 42424242 42424242 42424242 42424242 0x42424242 0013fbc9 42424242 42424242 42424242 42424242 0x42424242 0013fbcd 42424242 42424242 42424242 42424242 0x42424242 0013fbd1 42424242 42424242 42424242 42424242 0x42424242 0013fbd5 42424242 42424242 42424242 42424242 0x42424242 0013fbd9 42424242 42424242 42424242 42424242 0x42424242 0013fbdd 42424242 42424242 42424242 42424242 0x42424242 0013fbe1 42424242 42424242 42424242 42424242 0x42424242 0013fbe5 42424242 42424242 42424242 42424242 0x42424242 0013fbe9 42424242 42424242 42424242 42424242 0x42424242 0013fbed 42424242 42424242 42424242 42424242 0x42424242 0013fbf1 42424242 42424242 42424242 42424242 0x42424242 0013fbf5 42424242 42424242 42424242 42424242 0x42424242 0013fbf9 42424242 42424242 42424242 42424242 0x42424242 0013fbfd 42424242 42424242 42424242 42424242 0x42424242 0013fc01 42424242 42424242 42424242 42424242 0x42424242 0013fc05 42424242 42424242 42424242 42424242 0x42424242 0013fc09 42424242 42424242 42424242 42424242 0x42424242 0013fc0d 42424242 42424242 42424242 42424242 0x42424242 0013fc11 42424242 42424242 42424242 42424242 0x42424242 0013fc15 42424242 42424242 42424242 42424242 0x42424242 0013fc19 42424242 42424242 42424242 42424242 0x42424242 0013fc1d 42424242 42424242 42424242 42424242 0x42424242 0013fc21 42424242 42424242 42424242 42424242 0x42424242 0013fc25 42424242 42424242 42424242 42424242 0x42424242 0013fc29 42424242 42424242 42424242 42424242 0x42424242 0013fc2d 42424242 42424242 42424242 42424242 0x42424242 0013fc31 42424242 42424242 42424242 42424242 0x42424242 0013fc35 42424242 42424242 42424242 42424242 0x42424242 0013fc39 42424242 42424242 42424242 42424242 0x42424242 0013fc3d 42424242 42424242 42424242 42424242 0x42424242 0013fc41 42424242 42424242 42424242 42424242 0x42424242 0013fc45 42424242 42424242 42424242 42424242 0x42424242 0013fc49 42424242 42424242 42424242 42424242 0x42424242 0013fc4d 42424242 42424242 42424242 42424242 0x42424242 0013fc51 42424242 42424242 42424242 42424242 0x42424242 0013fc55 42424242 42424242 42424242 42424242 0x42424242 0013fc59 42424242 42424242 42424242 42424242 0x42424242 0013fc5d 42424242 42424242 42424242 42424242 0x42424242 0013fc61 42424242 42424242 42424242 42424242 0x42424242 0013fc65 42424242 42424242 42424242 42424242 0x42424242 0013fc69 42424242 42424242 42424242 42424242 0x42424242 0013fc6d 42424242 42424242 42424242 42424242 0x42424242 0013fc71 42424242 42424242 42424242 42424242 0x42424242 0013fc75 42424242 42424242 42424242 42424242 0x42424242 0013fc79 42424242 42424242 42424242 42424242 0x42424242 0013fc7d 42424242 42424242 42424242 42424242 0x42424242 0013fc81 42424242 42424242 42424242 42424242 0x42424242 0013fc85 42424242 42424242 42424242 42424242 0x42424242 0013fc89 42424242 42424242 42424242 42424242 0x42424242 0013fc8d 42424242 42424242 42424242 42424242 0x42424242 0013fc91 42424242 42424242 42424242 42424242 0x42424242 0013fc95 42424242 42424242 42424242 42424242 0x42424242 0013fc99 42424242 42424242 42424242 42424242 0x42424242 0013fc9d 42424242 42424242 42424242 42424242 0x42424242 0013fca1 42424242 42424242 42424242 42424242 0x42424242 0013fca5 42424242 42424242 42424242 42424242 0x42424242 0013fca9 42424242 42424242 42424242 42424242 0x42424242 0013fcad 42424242 42424242 42424242 42424242 0x42424242 0013fcb1 42424242 42424242 42424242 42424242 0x42424242 0013fcb5 42424242 42424242 42424242 42424242 0x42424242 0013fcb9 42424242 42424242 42424242 42424242 0x42424242 0013fcbd 42424242 42424242 42424242 42424242 0x42424242 0013fcc1 42424242 42424242 42424242 42424242 0x42424242 0013fcc5 42424242 42424242 42424242 42424242 0x42424242 0013fcc9 42424242 42424242 42424242 42424242 0x42424242 0013fccd 42424242 42424242 42424242 43000042 0x42424242 0013fcd1 42424242 42424242 43000042 73555c3a 0x42424242 0013fcd5 42424242 43000042 73555c3a 5c737265 0x42424242 0013fcd9 43000042 73555c3a 5c737265 6272656a 0x42424242 0013fcdd 73555c3a 5c737265 6272656a 6e776f72 0x43000042 0013fce1 5c737265 6272656a 6e776f72 4445522e 0x73555c3a 0013fce5 6272656a 6e776f72 4445522e 444e4f4d 0x5c737265 0013fce9 6e776f72 4445522e 444e4f4d 7365445c 0x6272656a 0013fced 4445522e 444e4f4d 7365445c 706f746b 0x6e776f72 0013fcf1 444e4f4d 7365445c 706f746b 7065725c 0x4445522e 0013fcf5 7365445c 706f746b 7065725c 2e326f72 0x444e4f4d 0013fcf9 706f746b 7065725c 2e326f72 63727862 0x7365445c 0013fcfd 7065725c 2e326f72 63727862 0000313a 0x706f746b 0013fd01 2e326f72 63727862 0000313a 04043c00 0x7065725c 0013fd05 63727862 0000313a 04043c00 00000000 0x2e326f72 0013fd09 00000000 04043c00 00000000 28000000 0x63727862 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bochs/+bug/1313194/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1313194 Title: Bochs Multiple Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bochs/+bug/1313194/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
