Bochs Multiple Vulnerabilities

Mollie, thanks for forwarding this report; do you know if the issue is strictly a matter of properly constructed image file or is this something that could be influenced from "inside" the system being emulated?

Do you know if the example PoC files are available? Do you know if this has been reported to upstream Bochs developers? Do you know if any CVE numbers have been assigned?

Thanks

Hello there! Thanks much for taking a look at this, very much appreciated.

More info attached.

No CVE as yet, though I'd love to get one.

Have been attempting to contact Bochs for months.

Mollie

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Seth Arnold
Sent: Monday, April 28, 2014 11:04 PM
To: Microsoft Vulnerability Research
Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities

Mollie, thanks for forwarding this report; do you know if the issue is strictly a matter of properly constructed image file or is this something that could be influenced from "inside" the system being emulated?

Do you know if the example PoC files are available? Do you know if this has been reported to upstream Bochs developers? Do you know if any CVE numbers have been assigned?

Thanks

** Information type changed from Private Security to Public Security

--
You received this bug notification because you are subscribed to the bug report.
https://bugs.launchpad.net/bugs/1313194

Title:
  Bochs Multiple Vulnerabilities

Status in “bochs” package in Ubuntu:
  New

Bug description:
  MSVR Vulnerability Report

  Discovered by: Jeremy Brown (jerbrown) of ReSP
  Date: 06-17-2013

  Title: Bochs Multiple Vulnerabilities
  Product: Bochs PC Emulator
  Version: 2.6.2 (latest)
  URL: http://bochs.sourceforge.net
  Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/

  Repro File(s): repro1.bxrc, repro2.bxrc

  Product Description

  Bochs is a highly portable open source IA-32 (x86) PC emulator written
  in C++, that runs on most popular platforms. It includes emulation of
  the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be
  compiled to emulate many different x86 CPUs, from early 386 to the
  most recent x86-64 Intel and AMD processors which may even not reached
  the market yet.

  Vulnerability Description

  Two vulnerabilities were found in Bochs’s parsing of bxrc files
  (configuration), a format string vulnerability and a stack corruption
  vulnerability. Both of these could potentially allow an attacker to
  execute arbitrary code in the context of the user running Bochs.

  Technical Details

  I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one
  is a format string vulnerability (repro1.bxrc) when boches parses the
  “floppya” field:

  The second vulnerability (repro2.bxrc) occurs boches parses the
  “romimage” field. See debugging output below for more info.

  Debugging (repro2.bxrc, Stack Corruption)

  STATUS_STACK_BUFFER_OVERRUN encountered
  (10c4.1ee8): Break instruction exception - code 80000003 (first chance)
  *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
  *** WARNING: Unable to verify checksum for image00400000
  *** ERROR: Module load completed but symbols could not be loaded for image00400000
  eax=00000000 ebx=00000001 ecx=7535beec edx=0000002b esi=00000000 edi=00000000
  eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0 nv up ei pl zr na pe nc
  cs=001b s...

From finder:

I don’t think this could be triggered from within the emulated system (eg. guest-to-host escape), but I didn’t look further into that. Its primary attack vector that I describe in the report is loading a guest with a malformed bxrc file, which may be what he’s indirectly referring to as the image file.

Mollie

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Seth Arnold
Sent: Monday, April 28, 2014 11:04 PM
To: Microsoft Vulnerability Research
Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities

Mollie, thanks for forwarding this report; do you know if the issue is strictly a matter of properly constructed image file or is this something that could be influenced from "inside" the system being emulated?

Do you know if the example PoC files are available? Do you know if this has been reported to upstream Bochs developers? Do you know if any CVE numbers have been assigned?

Thanks

** Information type changed from Private Security to Public Security

--
You received this bug notification because you are subscribed to the bug report.
https://bugs.launchpad.net/bugs/1313194

Title:
  Bochs Multiple Vulnerabilities

Status in “bochs” package in Ubuntu:
  New

Bug description:
  MSVR Vulnerability Report

  Discovered by: Jeremy Brown (jerbrown) of ReSP
  Date: 06-17-2013

  Title: Bochs Multiple Vulnerabilities
  Product: Bochs PC Emulator
  Version: 2.6.2 (latest)
  URL: http://bochs.sourceforge.net
  Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/

  Repro File(s): repro1.bxrc, repro2.bxrc

  Product Description

  Bochs is a highly portable open source IA-32 (x86) PC emulator written
  in C++, that runs on most popular platforms. It includes emulation of
  the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be
  compiled to emulate many different x86 CPUs, from early 386 to the
  most recent x86-64 Intel and AMD processors which may even not reached
  the market yet.

  Vulnerability Description

  Two vulnerabilities were found in Bochs’s parsing of bxrc files
  (configuration), a format string vulnerability and a stack corruption
  vulnerability. Both of these could potentially allow an attacker to
  execute arbitrary code in the context of the user running Bochs.

  Technical Details

  I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one
  is a format string vulnerability (repro1.bxrc) when boches parses the
  “floppya” field:

  The second vulnerability (repro2.bxrc) occurs boches parses the
  “romimage” field. See debugging output below for more info.

  Debugging (repro2.bxrc, Stack Corruption)

  STATUS_STACK_BUFFER_OVERRUN encountered
  (10c4.1ee8): Break instruction exception - code 80000003 (first chance)
  *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
  *** WARNING: Unable to verify checksum for image00400000
  *** ERROR: Module load completed but symbols could not be loaded for image00400000
  eax=00000000 ebx=00000001 ecx=7535beec edx=000000...

Thanks for the additional details; I do not think this would be a security problem but rather just regular bugs -- the configuration file is similar to typing command line arguments at the shell, since they can specify to write to any file the user has access to, or pass-through PCI devices from the host to guests. It would not be appropriate to use a supplied configuration file without inspecting it first.

I've filed a report with upstream bochs bug tracker: https://sourceforge.net/p/bochs/bugs/1347/

Thanks

FWIW, the "MSVR Vulnerability Report - Bochs Multiple Vulnerabilities .docx" attachment seems to be broken -- can't download. Probably due to %0A in the file name.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Response from our finder:

I’ve saw that they’re replied to this bug and deemed it not a security issue. I don’t agree with that, as their reason is they’re saying bxrc is a config file. Of course it is, but it’s part of the packaging for a virtual machine.

Example: If I packaged up a test.img with a malicious test.bxrc, got an user to download my TestOS package and run it in Bochs, the target could be exploited.

I don’t see much difference between a VMware VMX file and a Bochs BXRC file, both are vm config files and if these issues were present VMware’s parsing of a VMX file, they’d treat it (as they have in the past) as a serious security issue:

http://osvdb.com/search/search?search%5Bvuln_title%5D=vmware+vmx&search%5Btext_type%5D=alltext&search%5Brefid%5D=&search%5Breferencetypes%5D=&kthx=search

Here's another try at the PoC:

Reportedly fixed by upstream via the two commits.

#1:
http://sourceforge.net/p/bochs/code/12305/

#2:
http://sourceforge.net/p/bochs/code/12301/

Would be nice if the reporter could verify the fixes.

Thanks so much! Can you clear us for releasing an advisory on this issue acknowledging our finder?

Mollie

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Dmitry Janushkevich
Sent: Tuesday, May 6, 2014 5:00 AM
To: Microsoft Vulnerability Research
Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities

Reportedly fixed by upstream via the two commits.

#1:
http://sourceforge.net/p/bochs/code/12305/

#2:
http://sourceforge.net/p/bochs/code/12301/

Would be nice if the reporter could verify the fixes.

--
You received this bug notification because you are subscribed to the bug report.
https://bugs.launchpad.net/bugs/1313194

Title:
  Bochs Multiple Vulnerabilities

Status in “bochs” package in Ubuntu:
  Incomplete

Bug description:
  MSVR Vulnerability Report

  Discovered by: Jeremy Brown (jerbrown) of ReSP
  Date: 06-17-2013

  Title: Bochs Multiple Vulnerabilities
  Product: Bochs PC Emulator
  Version: 2.6.2 (latest)
  URL: http://bochs.sourceforge.net
  Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/

  Repro File(s): repro1.bxrc, repro2.bxrc

  Product Description

  Bochs is a highly portable open source IA-32 (x86) PC emulator written
  in C++, that runs on most popular platforms. It includes emulation of
  the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be
  compiled to emulate many different x86 CPUs, from early 386 to the
  most recent x86-64 Intel and AMD processors which may even not reached
  the market yet.

  Vulnerability Description

  Two vulnerabilities were found in Bochs’s parsing of bxrc files
  (configuration), a format string vulnerability and a stack corruption
  vulnerability. Both of these could potentially allow an attacker to
  execute arbitrary code in the context of the user running Bochs.

  Technical Details

  I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one
  is a format string vulnerability (repro1.bxrc) when boches parses the
  “floppya” field:

  The second vulnerability (repro2.bxrc) occurs boches parses the
  “romimage” field. See debugging output below for more info.

  Debugging (repro2.bxrc, Stack Corruption)

  STATUS_STACK_BUFFER_OVERRUN encountered
  (10c4.1ee8): Break instruction exception - code 80000003 (first chance)
  *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
  *** WARNING: Unable to verify checksum for image00400000
  *** ERROR: Module load completed but symbols could not be loaded for image00400000
  eax=00000000 ebx=00000001 ecx=7535beec edx=0000002b esi=00000000 edi=00000000
  eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0 nv up ei pl zr na pe nc
  cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3:
  753d1d1a cc int 3
  0:000> kv
  ChildEBP RetAddr Args to Child
  WARNING: Stack unwind information not available. Following frames may be wrong.
  0013f2b8 00625f00 006d5144 73bb7ca5 8...

Hello,

Could someone tell me if Microsoft is clear for releasing an advisory on this? We would like to acknowledge our finder (without releasing full details) on our acknowledgements page.

Thanks!
Mollie

Mollie, please feel free to publish, however I still believe that
someone who does not inspect a .bxrc before using it is running larger
risks due to the intentional features of the file format rather than
the unintentional bugs found and disclosed here. The similar report on
OSVDB for VMWare Player expresses a similar sentiment:

    EMC VMware Player contains a flaw that may allow a local denial
    of service. The issue is triggered when a user loads a .vmx
    file containing an ide1:0.fileName parameter with an overly long
    value, and will result in loss of availability for the the VMware
    instace. However, for an attacker to gain access and edit the .vmx
    file, it would require a level of access that would allow a wide
    variety of attacks. This level of access is considered to be trusted
    and not readily available to someone looking to launch this type
    of attack.

From http://osvdb.com/show/osvdb/27524.

Thanks

In reply to #10:

Please feel free to do so. Just a note, though -- I am not affiliated with Bochs project in any way, just passing by. ;-) But as commits are now public, there is no point in holding the advisory, I guess.

Thanks

Is the CVE number 13131943? Just need to confirm.

Thanks,
Mollie

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Dmitry Janushkevich
Sent: Saturday, May 10, 2014 1:16 AM
To: Microsoft Vulnerability Research
Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities

In reply to #10:

Please feel free to do so. Just a note, though -- I am not affiliated with Bochs project in any way, just passing by. ;-) But as commits are now public, there is no point in holding the advisory, I guess.

Thanks

--
You received this bug notification because you are subscribed to the bug report.
https://bugs.launchpad.net/bugs/1313194

Title:
  Bochs Multiple Vulnerabilities

Status in “bochs” package in Ubuntu:
  Incomplete

Bug description:
  MSVR Vulnerability Report

  Discovered by: Jeremy Brown (jerbrown) of ReSP
  Date: 06-17-2013

  Title: Bochs Multiple Vulnerabilities
  Product: Bochs PC Emulator
  Version: 2.6.2 (latest)
  URL: http://bochs.sourceforge.net
  Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/

  Repro File(s): repro1.bxrc, repro2.bxrc

  Product Description

  Bochs is a highly portable open source IA-32 (x86) PC emulator written
  in C++, that runs on most popular platforms. It includes emulation of
  the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be
  compiled to emulate many different x86 CPUs, from early 386 to the
  most recent x86-64 Intel and AMD processors which may even not reached
  the market yet.

  Vulnerability Description

  Two vulnerabilities were found in Bochs’s parsing of bxrc files
  (configuration), a format string vulnerability and a stack corruption
  vulnerability. Both of these could potentially allow an attacker to
  execute arbitrary code in the context of the user running Bochs.

  Technical Details

  I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one
  is a format string vulnerability (repro1.bxrc) when boches parses the
  “floppya” field:

  The second vulnerability (repro2.bxrc) occurs boches parses the
  “romimage” field. See debugging output below for more info.

  Debugging (repro2.bxrc, Stack Corruption)

  STATUS_STACK_BUFFER_OVERRUN encountered
  (10c4.1ee8): Break instruction exception - code 80000003 (first chance)
  *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
  *** WARNING: Unable to verify checksum for image00400000
  *** ERROR: Module load completed but symbols could not be loaded for image00400000
  eax=00000000 ebx=00000001 ecx=7535beec edx=0000002b esi=00000000 edi=00000000
  eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0 nv up ei pl zr na pe nc
  cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3:
  753d1d1a cc int 3
  0:000> kv
  ChildEBP RetAddr Args to Child
  WARNING: Stack unwind information not available. Following frames may be wrong.
  0013f2b8 00625f00 006d5144 73bb7ca5 8c44835a KER...

Mollie, no CVE number has been assigned to this issue; 13131943 is the bug number assigned to this Launchpad issue for the bochs package in Ubuntu.

If you wish to request a CVE assignment, the best place to do so is the oss-security mail list: http://oss-security.openwall.org/wiki/mailing-lists/oss-security

A mail to that list with a Subject: of the form "CVE Request: bochs" will be noticed by the CVE assignment staff at MITRE and a number will be assigned shortly if they believe there is a security issue.

Thanks

Security researcher acknowledgement

Hello, I'm writing to let you know that the security researcher acknowledgement for the issue we recently reported to you is now up at http://technet.microsoft.com/en-US/dn613815

Thank you again for tending to our report in a timely manner.

Mollie
MSVR

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Seth Arnold
Sent: Friday, May 9, 2014 3:25 PM
To: Microsoft Vulnerability Research
Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities

Mollie, please feel free to publish, however I still believe that someone who does not inspect a .bxrc before using it is running larger risks due to the intentional features of the file format rather than the unintentional bugs found and disclosed here. The similar report on OSVDB for VMWare Player expresses a similar sentiment:

    EMC VMware Player contains a flaw that may allow a local denial
    of service. The issue is triggered when a user loads a .vmx
    file containing an ide1:0.fileName parameter with an overly long
    value, and will result in loss of availability for the the VMware
    instace. However, for an attacker to gain access and edit the .vmx
    file, it would require a level of access that would allow a wide
    variety of attacks. This level of access is considered to be trusted
    and not readily available to someone looking to launch this type
    of attack.

>From http://osvdb.com/show/osvdb/27524.

Thanks

--
You received this bug notification because you are subscribed to the bug report.
https://bugs.launchpad.net/bugs/1313194

Title:
  Bochs Multiple Vulnerabilities

Status in “bochs” package in Ubuntu:
  Incomplete

Bug description:
  MSVR Vulnerability Report

  Discovered by: Jeremy Brown (jerbrown) of ReSP
  Date: 06-17-2013

  Title: Bochs Multiple Vulnerabilities
  Product: Bochs PC Emulator
  Version: 2.6.2 (latest)
  URL: http://bochs.sourceforge.net
  Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/

  Repro File(s): repro1.bxrc, repro2.bxrc

  Product Description

  Bochs is a highly portable open source IA-32 (x86) PC emulator written
  in C++, that runs on most popular platforms. It includes emulation of
  the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be
  compiled to emulate many different x86 CPUs, from early 386 to the
  most recent x86-64 Intel and AMD processors which may even not reached
  the market yet.

  Vulnerability Description

  Two vulnerabilities were found in Bochs’s parsing of bxrc files
  (configuration), a format string vulnerability and a stack corruption
  vulnerability. Both of these could potentially allow an attacker to
  execute arbitrary code in the context of the user running Bochs.

  Technical Details

  I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one
  is a format string vulnerability (repro1.bxrc) when boches parses the
  “floppya” field:

  The second vulnerability (repro2.bxrc) occurs boches parses the
  “romimage” field. See debugging output below for more info.

 ...

[Expired for bochs (Ubuntu) because there has been no activity for 60 days.]