Bochs Multiple Vulnerabilities

Bug #1313194 reported by Mollie
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bochs (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

MSVR Vulnerability Report

Discovered by: Jeremy Brown (jerbrown) of ReSP
Date: 06-17-2013

Title: Bochs Multiple Vulnerabilities
Product: Bochs PC Emulator
Version: 2.6.2 (latest)
URL: http://bochs.sourceforge.net
Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/

Repro File(s): repro1.bxrc, repro2.bxrc

Product Description

Bochs is a highly portable open source IA-32 (x86) PC emulator written in C++, that runs on most popular platforms. It includes emulation of the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be compiled to emulate many different x86 CPUs, from early 386 to the most recent x86-64 Intel and AMD processors which may even not reached the market yet.

Vulnerability Description

Two vulnerabilities were found in Bochs’s parsing of bxrc files (configuration), a format string vulnerability and a stack corruption vulnerability. Both of these could potentially allow an attacker to execute arbitrary code in the context of the user running Bochs.

Technical Details

I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one is a format string vulnerability (repro1.bxrc) when boches parses the “floppya” field:

The second vulnerability (repro2.bxrc) occurs boches parses the “romimage” field. See debugging output below for more info.

Debugging (repro2.bxrc, Stack Corruption)

STATUS_STACK_BUFFER_OVERRUN encountered
(10c4.1ee8): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
eax=00000000 ebx=00000001 ecx=7535beec edx=0000002b esi=00000000 edi=00000000
eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3:
753d1d1a cc int 3
0:000> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0013f2b8 00625f00 006d5144 73bb7ca5 8c44835a KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3
0013f5ec 0040525e 00000000 00000002 00000000 image00400000+0x225f00
0013f6c8 7783b49a 01fb0e10 01fcf204 7783b59b image00400000+0x525e
0013f6f8 7783b0a1 c7e382ef 00180000 00000000 ntdll!RtlLogStackBackTrace+0x66d
0013f7b0 006268c4 0013f814 00000000 0013f7dc ntdll!RtlLogStackBackTrace+0x274
0013f7c0 0062e6de 0013f814 04a62f28 043cbde0 image00400000+0x2268c4
0013f7e0 00625b11 00000000 00723c38 0013fae1 image00400000+0x22e6de
0013f7f0 00625b9d 7783fbcd 043c0000 00000000 image00400000+0x225b11
0013fae1 00656761 6c696620 42243d65 41485358 image00400000+0x225b9d
0013fae5 6c696620 42243d65 41485358 422f4552 image00400000+0x256761
0013fae9 42243d65 41485358 422f4552 2d534f49 0x6c696620
0013faed 41485358 422f4552 2d534f49 68636f62 0x42243d65
0013faf1 422f4552 2d534f49 68636f62 616c2d73 0x41485358
0013faf5 2d534f49 68636f62 616c2d73 74736574 0x422f4552
0013faf9 68636f62 616c2d73 74736574 6970616d 0x2d534f49
0013fafd 616c2d73 74736574 6970616d 422f2f3a 0x68636f62
0013fb01 74736574 6970616d 422f2f3a 42424242 0x616c2d73
0013fb05 6970616d 422f2f3a 42424242 42424242 0x74736574
0013fb09 422f2f3a 42424242 42424242 42424242 0x6970616d
0013fb0d 42424242 42424242 42424242 42424242 0x422f2f3a
0013fb11 42424242 42424242 42424242 42424242 0x42424242
0013fb15 42424242 42424242 42424242 42424242 0x42424242
0013fb19 42424242 42424242 42424242 42424242 0x42424242
0013fb1d 42424242 42424242 42424242 42424242 0x42424242
0013fb21 42424242 42424242 42424242 42424242 0x42424242
0013fb25 42424242 42424242 42424242 42424242 0x42424242
0013fb29 42424242 42424242 42424242 42424242 0x42424242
0013fb2d 42424242 42424242 42424242 42424242 0x42424242
0013fb31 42424242 42424242 42424242 42424242 0x42424242
0013fb35 42424242 42424242 42424242 42424242 0x42424242
0013fb39 42424242 42424242 42424242 42424242 0x42424242
0013fb3d 42424242 42424242 42424242 42424242 0x42424242
0013fb41 42424242 42424242 42424242 42424242 0x42424242
0013fb45 42424242 42424242 42424242 42424242 0x42424242
0013fb49 42424242 42424242 42424242 42424242 0x42424242
0013fb4d 42424242 42424242 42424242 42424242 0x42424242
0013fb51 42424242 42424242 42424242 42424242 0x42424242
0013fb55 42424242 42424242 42424242 42424242 0x42424242
0013fb59 42424242 42424242 42424242 42424242 0x42424242
0013fb5d 42424242 42424242 42424242 42424242 0x42424242
0013fb61 42424242 42424242 42424242 42424242 0x42424242
0013fb65 42424242 42424242 42424242 42424242 0x42424242
0013fb69 42424242 42424242 42424242 42424242 0x42424242
0013fb6d 42424242 42424242 42424242 42424242 0x42424242
0013fb71 42424242 42424242 42424242 42424242 0x42424242
0013fb75 42424242 42424242 42424242 42424242 0x42424242
0013fb79 42424242 42424242 42424242 42424242 0x42424242
0013fb7d 42424242 42424242 42424242 42424242 0x42424242
0013fb81 42424242 42424242 42424242 42424242 0x42424242
0013fb85 42424242 42424242 42424242 42424242 0x42424242
0013fb89 42424242 42424242 42424242 42424242 0x42424242
0013fb8d 42424242 42424242 42424242 42424242 0x42424242
0013fb91 42424242 42424242 42424242 42424242 0x42424242
0013fb95 42424242 42424242 42424242 42424242 0x42424242
0013fb99 42424242 42424242 42424242 42424242 0x42424242
0013fb9d 42424242 42424242 42424242 42424242 0x42424242
0013fba1 42424242 42424242 42424242 42424242 0x42424242
0013fba5 42424242 42424242 42424242 42424242 0x42424242
0013fba9 42424242 42424242 42424242 42424242 0x42424242
0013fbad 42424242 42424242 42424242 42424242 0x42424242
0013fbb1 42424242 42424242 42424242 42424242 0x42424242
0013fbb5 42424242 42424242 42424242 42424242 0x42424242
0013fbb9 42424242 42424242 42424242 42424242 0x42424242
0013fbbd 42424242 42424242 42424242 42424242 0x42424242
0013fbc1 42424242 42424242 42424242 42424242 0x42424242
0013fbc5 42424242 42424242 42424242 42424242 0x42424242
0013fbc9 42424242 42424242 42424242 42424242 0x42424242
0013fbcd 42424242 42424242 42424242 42424242 0x42424242
0013fbd1 42424242 42424242 42424242 42424242 0x42424242
0013fbd5 42424242 42424242 42424242 42424242 0x42424242
0013fbd9 42424242 42424242 42424242 42424242 0x42424242
0013fbdd 42424242 42424242 42424242 42424242 0x42424242
0013fbe1 42424242 42424242 42424242 42424242 0x42424242
0013fbe5 42424242 42424242 42424242 42424242 0x42424242
0013fbe9 42424242 42424242 42424242 42424242 0x42424242
0013fbed 42424242 42424242 42424242 42424242 0x42424242
0013fbf1 42424242 42424242 42424242 42424242 0x42424242
0013fbf5 42424242 42424242 42424242 42424242 0x42424242
0013fbf9 42424242 42424242 42424242 42424242 0x42424242
0013fbfd 42424242 42424242 42424242 42424242 0x42424242
0013fc01 42424242 42424242 42424242 42424242 0x42424242
0013fc05 42424242 42424242 42424242 42424242 0x42424242
0013fc09 42424242 42424242 42424242 42424242 0x42424242
0013fc0d 42424242 42424242 42424242 42424242 0x42424242
0013fc11 42424242 42424242 42424242 42424242 0x42424242
0013fc15 42424242 42424242 42424242 42424242 0x42424242
0013fc19 42424242 42424242 42424242 42424242 0x42424242
0013fc1d 42424242 42424242 42424242 42424242 0x42424242
0013fc21 42424242 42424242 42424242 42424242 0x42424242
0013fc25 42424242 42424242 42424242 42424242 0x42424242
0013fc29 42424242 42424242 42424242 42424242 0x42424242
0013fc2d 42424242 42424242 42424242 42424242 0x42424242
0013fc31 42424242 42424242 42424242 42424242 0x42424242
0013fc35 42424242 42424242 42424242 42424242 0x42424242
0013fc39 42424242 42424242 42424242 42424242 0x42424242
0013fc3d 42424242 42424242 42424242 42424242 0x42424242
0013fc41 42424242 42424242 42424242 42424242 0x42424242
0013fc45 42424242 42424242 42424242 42424242 0x42424242
0013fc49 42424242 42424242 42424242 42424242 0x42424242
0013fc4d 42424242 42424242 42424242 42424242 0x42424242
0013fc51 42424242 42424242 42424242 42424242 0x42424242
0013fc55 42424242 42424242 42424242 42424242 0x42424242
0013fc59 42424242 42424242 42424242 42424242 0x42424242
0013fc5d 42424242 42424242 42424242 42424242 0x42424242
0013fc61 42424242 42424242 42424242 42424242 0x42424242
0013fc65 42424242 42424242 42424242 42424242 0x42424242
0013fc69 42424242 42424242 42424242 42424242 0x42424242
0013fc6d 42424242 42424242 42424242 42424242 0x42424242
0013fc71 42424242 42424242 42424242 42424242 0x42424242
0013fc75 42424242 42424242 42424242 42424242 0x42424242
0013fc79 42424242 42424242 42424242 42424242 0x42424242
0013fc7d 42424242 42424242 42424242 42424242 0x42424242
0013fc81 42424242 42424242 42424242 42424242 0x42424242
0013fc85 42424242 42424242 42424242 42424242 0x42424242
0013fc89 42424242 42424242 42424242 42424242 0x42424242
0013fc8d 42424242 42424242 42424242 42424242 0x42424242
0013fc91 42424242 42424242 42424242 42424242 0x42424242
0013fc95 42424242 42424242 42424242 42424242 0x42424242
0013fc99 42424242 42424242 42424242 42424242 0x42424242
0013fc9d 42424242 42424242 42424242 42424242 0x42424242
0013fca1 42424242 42424242 42424242 42424242 0x42424242
0013fca5 42424242 42424242 42424242 42424242 0x42424242
0013fca9 42424242 42424242 42424242 42424242 0x42424242
0013fcad 42424242 42424242 42424242 42424242 0x42424242
0013fcb1 42424242 42424242 42424242 42424242 0x42424242
0013fcb5 42424242 42424242 42424242 42424242 0x42424242
0013fcb9 42424242 42424242 42424242 42424242 0x42424242
0013fcbd 42424242 42424242 42424242 42424242 0x42424242
0013fcc1 42424242 42424242 42424242 42424242 0x42424242
0013fcc5 42424242 42424242 42424242 42424242 0x42424242
0013fcc9 42424242 42424242 42424242 42424242 0x42424242
0013fccd 42424242 42424242 42424242 43000042 0x42424242
0013fcd1 42424242 42424242 43000042 73555c3a 0x42424242
0013fcd5 42424242 43000042 73555c3a 5c737265 0x42424242
0013fcd9 43000042 73555c3a 5c737265 6272656a 0x42424242
0013fcdd 73555c3a 5c737265 6272656a 6e776f72 0x43000042
0013fce1 5c737265 6272656a 6e776f72 4445522e 0x73555c3a
0013fce5 6272656a 6e776f72 4445522e 444e4f4d 0x5c737265
0013fce9 6e776f72 4445522e 444e4f4d 7365445c 0x6272656a
0013fced 4445522e 444e4f4d 7365445c 706f746b 0x6e776f72
0013fcf1 444e4f4d 7365445c 706f746b 7065725c 0x4445522e
0013fcf5 7365445c 706f746b 7065725c 2e326f72 0x444e4f4d
0013fcf9 706f746b 7065725c 2e326f72 63727862 0x7365445c
0013fcfd 7065725c 2e326f72 63727862 0000313a 0x706f746b
0013fd01 2e326f72 63727862 0000313a 04043c00 0x7065725c
0013fd05 63727862 0000313a 04043c00 00000000 0x2e326f72
0013fd09 00000000 04043c00 00000000 28000000 0x63727862

Celso Providelo (cprov)
affects: launchpad → bochs (Ubuntu)
Mollie (msvr)
information type: Public → Private Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Mollie, thanks for forwarding this report; do you know if the issue is strictly a matter of properly constructed image file or is this something that could be influenced from "inside" the system being emulated?

Do you know if the example PoC files are available? Do you know if this has been reported to upstream Bochs developers? Do you know if any CVE numbers have been assigned?

Thanks

information type: Private Security → Public Security
Revision history for this message
Mollie (msvr) wrote : RE: [Bug 1313194] Re: Bochs Multiple Vulnerabilities
Download full text (12.2 KiB)

Hello there! Thanks much for taking a look at this, very much appreciated.

More info attached.

No CVE as yet, though I'd love to get one.

Have been attempting to contact Bochs for months.

Mollie

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Seth Arnold
Sent: Monday, April 28, 2014 11:04 PM
To: Microsoft Vulnerability Research
Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities

Mollie, thanks for forwarding this report; do you know if the issue is strictly a matter of properly constructed image file or is this something that could be influenced from "inside" the system being emulated?

Do you know if the example PoC files are available? Do you know if this has been reported to upstream Bochs developers? Do you know if any CVE numbers have been assigned?

Thanks

** Information type changed from Private Security to Public Security

--
You received this bug notification because you are subscribed to the bug report.
https://bugs.launchpad.net/bugs/1313194

Title:
  Bochs Multiple Vulnerabilities

Status in “bochs” package in Ubuntu:
  New

Bug description:
  MSVR Vulnerability Report

  Discovered by: Jeremy Brown (jerbrown) of ReSP
  Date: 06-17-2013

  Title: Bochs Multiple Vulnerabilities
  Product: Bochs PC Emulator
  Version: 2.6.2 (latest)
  URL: http://bochs.sourceforge.net
  Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/

  Repro File(s): repro1.bxrc, repro2.bxrc

  Product Description

  Bochs is a highly portable open source IA-32 (x86) PC emulator written
  in C++, that runs on most popular platforms. It includes emulation of
  the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be
  compiled to emulate many different x86 CPUs, from early 386 to the
  most recent x86-64 Intel and AMD processors which may even not reached
  the market yet.

  Vulnerability Description

  Two vulnerabilities were found in Bochs’s parsing of bxrc files
  (configuration), a format string vulnerability and a stack corruption
  vulnerability. Both of these could potentially allow an attacker to
  execute arbitrary code in the context of the user running Bochs.

  Technical Details

  I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one
  is a format string vulnerability (repro1.bxrc) when boches parses the
  “floppya” field:

  The second vulnerability (repro2.bxrc) occurs boches parses the
  “romimage” field. See debugging output below for more info.

  Debugging (repro2.bxrc, Stack Corruption)

  STATUS_STACK_BUFFER_OVERRUN encountered
  (10c4.1ee8): Break instruction exception - code 80000003 (first chance)
  *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
  *** WARNING: Unable to verify checksum for image00400000
  *** ERROR: Module load completed but symbols could not be loaded for image00400000
  eax=00000000 ebx=00000001 ecx=7535beec edx=0000002b esi=00000000 edi=00000000
  eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0 nv up ei pl zr na pe nc
  cs=001b s...

Revision history for this message
Mollie (msvr) wrote :
Download full text (12.3 KiB)

From finder:

I don’t think this could be triggered from within the emulated system (eg. guest-to-host escape), but I didn’t look further into that. Its primary attack vector that I describe in the report is loading a guest with a malformed bxrc file, which may be what he’s indirectly referring to as the image file.

Mollie

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Seth Arnold
Sent: Monday, April 28, 2014 11:04 PM
To: Microsoft Vulnerability Research
Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities

Mollie, thanks for forwarding this report; do you know if the issue is strictly a matter of properly constructed image file or is this something that could be influenced from "inside" the system being emulated?

Do you know if the example PoC files are available? Do you know if this has been reported to upstream Bochs developers? Do you know if any CVE numbers have been assigned?

Thanks

** Information type changed from Private Security to Public Security

--
You received this bug notification because you are subscribed to the bug report.
https://bugs.launchpad.net/bugs/1313194

Title:
  Bochs Multiple Vulnerabilities

Status in “bochs” package in Ubuntu:
  New

Bug description:
  MSVR Vulnerability Report

  Discovered by: Jeremy Brown (jerbrown) of ReSP
  Date: 06-17-2013

  Title: Bochs Multiple Vulnerabilities
  Product: Bochs PC Emulator
  Version: 2.6.2 (latest)
  URL: http://bochs.sourceforge.net
  Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/

  Repro File(s): repro1.bxrc, repro2.bxrc

  Product Description

  Bochs is a highly portable open source IA-32 (x86) PC emulator written
  in C++, that runs on most popular platforms. It includes emulation of
  the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be
  compiled to emulate many different x86 CPUs, from early 386 to the
  most recent x86-64 Intel and AMD processors which may even not reached
  the market yet.

  Vulnerability Description

  Two vulnerabilities were found in Bochs’s parsing of bxrc files
  (configuration), a format string vulnerability and a stack corruption
  vulnerability. Both of these could potentially allow an attacker to
  execute arbitrary code in the context of the user running Bochs.

  Technical Details

  I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one
  is a format string vulnerability (repro1.bxrc) when boches parses the
  “floppya” field:

  The second vulnerability (repro2.bxrc) occurs boches parses the
  “romimage” field. See debugging output below for more info.

  Debugging (repro2.bxrc, Stack Corruption)

  STATUS_STACK_BUFFER_OVERRUN encountered
  (10c4.1ee8): Break instruction exception - code 80000003 (first chance)
  *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
  *** WARNING: Unable to verify checksum for image00400000
  *** ERROR: Module load completed but symbols could not be loaded for image00400000
  eax=00000000 ebx=00000001 ecx=7535beec edx=000000...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for the additional details; I do not think this would be a security problem but rather just regular bugs -- the configuration file is similar to typing command line arguments at the shell, since they can specify to write to any file the user has access to, or pass-through PCI devices from the host to guests. It would not be appropriate to use a supplied configuration file without inspecting it first.

I've filed a report with upstream bochs bug tracker: https://sourceforge.net/p/bochs/bugs/1347/

Thanks

information type: Public Security → Public
Revision history for this message
Dmitry Janushkevich (dev-zzo) wrote :

FWIW, the "MSVR Vulnerability Report - Bochs Multiple Vulnerabilities .docx" attachment seems to be broken -- can't download. Probably due to %0A in the file name.

William Grant (wgrant)
information type: Public → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in bochs (Ubuntu):
status: New → Incomplete
Revision history for this message
Mollie (msvr) wrote :

Response from our finder:

I’ve saw that they’re replied to this bug and deemed it not a security issue. I don’t agree with that, as their reason is they’re saying bxrc is a config file. Of course it is, but it’s part of the packaging for a virtual machine.

Example: If I packaged up a test.img with a malicious test.bxrc, got an user to download my TestOS package and run it in Bochs, the target could be exploited.

I don’t see much difference between a VMware VMX file and a Bochs BXRC file, both are vm config files and if these issues were present VMware’s parsing of a VMX file, they’d treat it (as they have in the past) as a serious security issue:

http://osvdb.com/search/search?search%5Bvuln_title%5D=vmware+vmx&search%5Btext_type%5D=alltext&search%5Brefid%5D=&search%5Breferencetypes%5D=&kthx=search

Revision history for this message
Mollie (msvr) wrote :
  • 1313194 Edit (48.5 KiB, application/vnd.openxmlformats-officedocument.wordprocessingml.document)

Here's another try at the PoC:

Revision history for this message
Dmitry Janushkevich (dev-zzo) wrote :

Reportedly fixed by upstream via the two commits.

#1:
http://sourceforge.net/p/bochs/code/12305/

#2:
http://sourceforge.net/p/bochs/code/12301/

Would be nice if the reporter could verify the fixes.

Revision history for this message
Mollie (msvr) wrote : RE: [Bug 1313194] Re: Bochs Multiple Vulnerabilities
Download full text (11.8 KiB)

Thanks so much! Can you clear us for releasing an advisory on this issue acknowledging our finder?

Mollie

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Dmitry Janushkevich
Sent: Tuesday, May 6, 2014 5:00 AM
To: Microsoft Vulnerability Research
Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities

Reportedly fixed by upstream via the two commits.

#1:
http://sourceforge.net/p/bochs/code/12305/

#2:
http://sourceforge.net/p/bochs/code/12301/

Would be nice if the reporter could verify the fixes.

--
You received this bug notification because you are subscribed to the bug report.
https://bugs.launchpad.net/bugs/1313194

Title:
  Bochs Multiple Vulnerabilities

Status in “bochs” package in Ubuntu:
  Incomplete

Bug description:
  MSVR Vulnerability Report

  Discovered by: Jeremy Brown (jerbrown) of ReSP
  Date: 06-17-2013

  Title: Bochs Multiple Vulnerabilities
  Product: Bochs PC Emulator
  Version: 2.6.2 (latest)
  URL: http://bochs.sourceforge.net
  Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/

  Repro File(s): repro1.bxrc, repro2.bxrc

  Product Description

  Bochs is a highly portable open source IA-32 (x86) PC emulator written
  in C++, that runs on most popular platforms. It includes emulation of
  the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be
  compiled to emulate many different x86 CPUs, from early 386 to the
  most recent x86-64 Intel and AMD processors which may even not reached
  the market yet.

  Vulnerability Description

  Two vulnerabilities were found in Bochs’s parsing of bxrc files
  (configuration), a format string vulnerability and a stack corruption
  vulnerability. Both of these could potentially allow an attacker to
  execute arbitrary code in the context of the user running Bochs.

  Technical Details

  I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one
  is a format string vulnerability (repro1.bxrc) when boches parses the
  “floppya” field:

  The second vulnerability (repro2.bxrc) occurs boches parses the
  “romimage” field. See debugging output below for more info.

  Debugging (repro2.bxrc, Stack Corruption)

  STATUS_STACK_BUFFER_OVERRUN encountered
  (10c4.1ee8): Break instruction exception - code 80000003 (first chance)
  *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
  *** WARNING: Unable to verify checksum for image00400000
  *** ERROR: Module load completed but symbols could not be loaded for image00400000
  eax=00000000 ebx=00000001 ecx=7535beec edx=0000002b esi=00000000 edi=00000000
  eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0 nv up ei pl zr na pe nc
  cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3:
  753d1d1a cc int 3
  0:000> kv
  ChildEBP RetAddr Args to Child
  WARNING: Stack unwind information not available. Following frames may be wrong.
  0013f2b8 00625f00 006d5144 73bb7ca5 8...

Revision history for this message
Mollie (msvr) wrote :

Hello,

Could someone tell me if Microsoft is clear for releasing an advisory on this? We would like to acknowledge our finder (without releasing full details) on our acknowledgements page.

Thanks!
Mollie

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Mollie, please feel free to publish, however I still believe that
someone who does not inspect a .bxrc before using it is running larger
risks due to the intentional features of the file format rather than
the unintentional bugs found and disclosed here. The similar report on
OSVDB for VMWare Player expresses a similar sentiment:

    EMC VMware Player contains a flaw that may allow a local denial
    of service. The issue is triggered when a user loads a .vmx
    file containing an ide1:0.fileName parameter with an overly long
    value, and will result in loss of availability for the the VMware
    instace. However, for an attacker to gain access and edit the .vmx
    file, it would require a level of access that would allow a wide
    variety of attacks. This level of access is considered to be trusted
    and not readily available to someone looking to launch this type
    of attack.

From http://osvdb.com/show/osvdb/27524.

Thanks

Revision history for this message
Dmitry Janushkevich (dev-zzo) wrote :

In reply to #10:

Please feel free to do so. Just a note, though -- I am not affiliated with Bochs project in any way, just passing by. ;-) But as commits are now public, there is no point in holding the advisory, I guess.

Thanks

Revision history for this message
Mollie (msvr) wrote :
Download full text (11.8 KiB)

Is the CVE number 13131943? Just need to confirm.

Thanks,
Mollie

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Dmitry Janushkevich
Sent: Saturday, May 10, 2014 1:16 AM
To: Microsoft Vulnerability Research
Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities

In reply to #10:

Please feel free to do so. Just a note, though -- I am not affiliated with Bochs project in any way, just passing by. ;-) But as commits are now public, there is no point in holding the advisory, I guess.

Thanks

--
You received this bug notification because you are subscribed to the bug report.
https://bugs.launchpad.net/bugs/1313194

Title:
  Bochs Multiple Vulnerabilities

Status in “bochs” package in Ubuntu:
  Incomplete

Bug description:
  MSVR Vulnerability Report

  Discovered by: Jeremy Brown (jerbrown) of ReSP
  Date: 06-17-2013

  Title: Bochs Multiple Vulnerabilities
  Product: Bochs PC Emulator
  Version: 2.6.2 (latest)
  URL: http://bochs.sourceforge.net
  Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/

  Repro File(s): repro1.bxrc, repro2.bxrc

  Product Description

  Bochs is a highly portable open source IA-32 (x86) PC emulator written
  in C++, that runs on most popular platforms. It includes emulation of
  the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be
  compiled to emulate many different x86 CPUs, from early 386 to the
  most recent x86-64 Intel and AMD processors which may even not reached
  the market yet.

  Vulnerability Description

  Two vulnerabilities were found in Bochs’s parsing of bxrc files
  (configuration), a format string vulnerability and a stack corruption
  vulnerability. Both of these could potentially allow an attacker to
  execute arbitrary code in the context of the user running Bochs.

  Technical Details

  I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one
  is a format string vulnerability (repro1.bxrc) when boches parses the
  “floppya” field:

  The second vulnerability (repro2.bxrc) occurs boches parses the
  “romimage” field. See debugging output below for more info.

  Debugging (repro2.bxrc, Stack Corruption)

  STATUS_STACK_BUFFER_OVERRUN encountered
  (10c4.1ee8): Break instruction exception - code 80000003 (first chance)
  *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
  *** WARNING: Unable to verify checksum for image00400000
  *** ERROR: Module load completed but symbols could not be loaded for image00400000
  eax=00000000 ebx=00000001 ecx=7535beec edx=0000002b esi=00000000 edi=00000000
  eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0 nv up ei pl zr na pe nc
  cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3:
  753d1d1a cc int 3
  0:000> kv
  ChildEBP RetAddr Args to Child
  WARNING: Stack unwind information not available. Following frames may be wrong.
  0013f2b8 00625f00 006d5144 73bb7ca5 8c44835a KER...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Mollie, no CVE number has been assigned to this issue; 13131943 is the bug number assigned to this Launchpad issue for the bochs package in Ubuntu.

If you wish to request a CVE assignment, the best place to do so is the oss-security mail list: http://oss-security.openwall.org/wiki/mailing-lists/oss-security

A mail to that list with a Subject: of the form "CVE Request: bochs" will be noticed by the CVE assignment staff at MITRE and a number will be assigned shortly if they believe there is a security issue.

Thanks

Revision history for this message
Mollie (msvr) wrote :
Download full text (12.8 KiB)

Security researcher acknowledgement

Hello, I'm writing to let you know that the security researcher acknowledgement for the issue we recently reported to you is now up at http://technet.microsoft.com/en-US/dn613815

Thank you again for tending to our report in a timely manner.

Mollie
MSVR

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Seth Arnold
Sent: Friday, May 9, 2014 3:25 PM
To: Microsoft Vulnerability Research
Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities

Mollie, please feel free to publish, however I still believe that someone who does not inspect a .bxrc before using it is running larger risks due to the intentional features of the file format rather than the unintentional bugs found and disclosed here. The similar report on OSVDB for VMWare Player expresses a similar sentiment:

    EMC VMware Player contains a flaw that may allow a local denial
    of service. The issue is triggered when a user loads a .vmx
    file containing an ide1:0.fileName parameter with an overly long
    value, and will result in loss of availability for the the VMware
    instace. However, for an attacker to gain access and edit the .vmx
    file, it would require a level of access that would allow a wide
    variety of attacks. This level of access is considered to be trusted
    and not readily available to someone looking to launch this type
    of attack.

>From http://osvdb.com/show/osvdb/27524.

Thanks

--
You received this bug notification because you are subscribed to the bug report.
https://bugs.launchpad.net/bugs/1313194

Title:
  Bochs Multiple Vulnerabilities

Status in “bochs” package in Ubuntu:
  Incomplete

Bug description:
  MSVR Vulnerability Report

  Discovered by: Jeremy Brown (jerbrown) of ReSP
  Date: 06-17-2013

  Title: Bochs Multiple Vulnerabilities
  Product: Bochs PC Emulator
  Version: 2.6.2 (latest)
  URL: http://bochs.sourceforge.net
  Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/

  Repro File(s): repro1.bxrc, repro2.bxrc

  Product Description

  Bochs is a highly portable open source IA-32 (x86) PC emulator written
  in C++, that runs on most popular platforms. It includes emulation of
  the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be
  compiled to emulate many different x86 CPUs, from early 386 to the
  most recent x86-64 Intel and AMD processors which may even not reached
  the market yet.

  Vulnerability Description

  Two vulnerabilities were found in Bochs’s parsing of bxrc files
  (configuration), a format string vulnerability and a stack corruption
  vulnerability. Both of these could potentially allow an attacker to
  execute arbitrary code in the context of the user running Bochs.

  Technical Details

  I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one
  is a format string vulnerability (repro1.bxrc) when boches parses the
  “floppya” field:

  The second vulnerability (repro2.bxrc) occurs boches parses the
  “romimage” field. See debugging output below for more info.

 ...

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for bochs (Ubuntu) because there has been no activity for 60 days.]

Changed in bochs (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.