#######################################################################
Luigi Auriemma
Application: DOSBox
http://dosbox.sourceforge.net
Versions: <= 0.72 and current CVS
Platforms: Windows, Linux, *BSD and Mac
Bug: access to the filesystem
Exploitation: local
Date: 10 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
DOSBox is an excellent emulator for running software written for the
DOS environment like programs and games (moreover abandonware games
which are very used today).
#######################################################################
======
2) Bug
======
DOSBox acts as a virtual machine in which the filesystem is limited to
the folders that the user decides to mount as virtual drives and any
instruction is emulated within DOSBox without accessing the external
resources and memory.
So practically the emulated DOS program can work only inside this
"cage" (that's also why is possible to run viruses and malware without
problems for the system).
Anyway although these limitations exists a very simple way to gain
access to the entire real filesystem (so not only the virtual one)
because the MOUNT command used by DOSBox for mounting the real folders
as virtual drives can be called just by the same emulated program.
In short if the program executes system("mount x c:\"); it gains
read/write access to the C: disk where is then possible to modify
all the files on which the user has access (like for example placing
the execution of a program at the next reboot or substituiting a valid
executable with a custom one).
MOUNT is not the only DOSBox related command available (check the Z:
disk) but is the only one which has a real security impact if executed.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/dosboxxx.zip
#######################################################################
======
4) Fix
======
The developers don't think this can be considered a security problem
while in my opinion doing something outside the environment created by
the virtual machine must be considered a risk.
#######################################################################
---
Luigi Auriemma
http://aluigi.org