From finder:

I don’t think this could be triggered from within the emulated system (eg. guest-to-host escape), but I didn’t look further into that. Its primary attack vector that I describe in the report is loading a guest with a malformed bxrc file, which may be what he’s indirectly referring to as the image file.

Mollie

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Seth Arnold
Sent: Monday, April 28, 2014 11:04 PM
To: Microsoft Vulnerability Research
Subject: [Bug 1313194] Re: Bochs Multiple Vulnerabilities

Mollie, thanks for forwarding this report; do you know if the issue is strictly a matter of properly constructed image file or is this something that could be influenced from "inside" the system being emulated?

Do you know if the example PoC files are available? Do you know if this has been reported to upstream Bochs developers? Do you know if any CVE numbers have been assigned?

Thanks

** Information type changed from Private Security to Public Security

--
You received this bug notification because you are subscribed to the bug report.
https://bugs.launchpad.net/bugs/1313194

Title:
  Bochs Multiple Vulnerabilities

Status in “bochs” package in Ubuntu:
  New

Bug description:
  MSVR Vulnerability Report

  Discovered by: Jeremy Brown (jerbrown) of ReSP
  Date: 06-17-2013

  Title: Bochs Multiple Vulnerabilities
  Product: Bochs PC Emulator
  Version: 2.6.2 (latest)
  URL: http://bochs.sourceforge.net
  Download Link: http://sourceforge.net/projects/bochs/files/bochs/2.6.2/

  Repro File(s): repro1.bxrc, repro2.bxrc




  
  Product Description

  Bochs is a highly portable open source IA-32 (x86) PC emulator written
  in C++, that runs on most popular platforms. It includes emulation of
  the Intel x86 CPU, common I/O devices, and a custom BIOS. Bochs can be
  compiled to emulate many different x86 CPUs, from early 386 to the
  most recent x86-64 Intel and AMD processors which may even not reached
  the market yet.

  Vulnerability Description

  Two vulnerabilities were found in Bochs’s parsing of bxrc files
  (configuration), a format string vulnerability and a stack corruption
  vulnerability. Both of these could potentially allow an attacker to
  execute arbitrary code in the context of the user running Bochs.




  Technical Details

  I tested Bochs by running boches.exe -q -f [bxrc-file]. The first one
  is a format string vulnerability (repro1.bxrc) when boches parses the
  “floppya” field:


  The second vulnerability (repro2.bxrc) occurs boches parses the
  “romimage” field. See debugging output below for more info.


  
  Debugging (repro2.bxrc, Stack Corruption)

  STATUS_STACK_BUFFER_OVERRUN encountered
  (10c4.1ee8): Break instruction exception - code 80000003 (first chance)
  *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
  *** WARNING: Unable to verify checksum for image00400000
  *** ERROR: Module load completed but symbols could not be loaded for image00400000
  eax=00000000 ebx=00000001 ecx=7535beec edx=0000002b esi=00000000 edi=00000000
  eip=753d1d1a esp=0013f23c ebp=0013f2b8 iopl=0         nv up ei pl zr na pe nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
  KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3:
  753d1d1a cc              int     3
  0:000> kv
  ChildEBP RetAddr  Args to Child              
  WARNING: Stack unwind information not available. Following frames may be wrong.
  0013f2b8 00625f00 006d5144 73bb7ca5 8c44835a KERNELBASE!DeleteProcThreadAttributeList+0x1a3b3
  0013f5ec 0040525e 00000000 00000002 00000000 image00400000+0x225f00
  0013f6c8 7783b49a 01fb0e10 01fcf204 7783b59b image00400000+0x525e
  0013f6f8 7783b0a1 c7e382ef 00180000 00000000 ntdll!RtlLogStackBackTrace+0x66d
  0013f7b0 006268c4 0013f814 00000000 0013f7dc ntdll!RtlLogStackBackTrace+0x274
  0013f7c0 0062e6de 0013f814 04a62f28 043cbde0 image00400000+0x2268c4
  0013f7e0 00625b11 00000000 00723c38 0013fae1 image00400000+0x22e6de
  0013f7f0 00625b9d 7783fbcd 043c0000 00000000 image00400000+0x225b11
  0013fae1 00656761 6c696620 42243d65 41485358 image00400000+0x225b9d
  0013fae5 6c696620 42243d65 41485358 422f4552 image00400000+0x256761
  0013fae9 42243d65 41485358 422f4552 2d534f49 0x6c696620
  0013faed 41485358 422f4552 2d534f49 68636f62 0x42243d65
  0013faf1 422f4552 2d534f49 68636f62 616c2d73 0x41485358
  0013faf5 2d534f49 68636f62 616c2d73 74736574 0x422f4552
  0013faf9 68636f62 616c2d73 74736574 6970616d 0x2d534f49
  0013fafd 616c2d73 74736574 6970616d 422f2f3a 0x68636f62
  0013fb01 74736574 6970616d 422f2f3a 42424242 0x616c2d73
  0013fb05 6970616d 422f2f3a 42424242 42424242 0x74736574
  0013fb09 422f2f3a 42424242 42424242 42424242 0x6970616d
  0013fb0d 42424242 42424242 42424242 42424242 0x422f2f3a
  0013fb11 42424242 42424242 42424242 42424242 0x42424242
  0013fb15 42424242 42424242 42424242 42424242 0x42424242
  0013fb19 42424242 42424242 42424242 42424242 0x42424242
  0013fb1d 42424242 42424242 42424242 42424242 0x42424242
  0013fb21 42424242 42424242 42424242 42424242 0x42424242
  0013fb25 42424242 42424242 42424242 42424242 0x42424242
  0013fb29 42424242 42424242 42424242 42424242 0x42424242
  0013fb2d 42424242 42424242 42424242 42424242 0x42424242
  0013fb31 42424242 42424242 42424242 42424242 0x42424242
  0013fb35 42424242 42424242 42424242 42424242 0x42424242
  0013fb39 42424242 42424242 42424242 42424242 0x42424242
  0013fb3d 42424242 42424242 42424242 42424242 0x42424242
  0013fb41 42424242 42424242 42424242 42424242 0x42424242
  0013fb45 42424242 42424242 42424242 42424242 0x42424242
  0013fb49 42424242 42424242 42424242 42424242 0x42424242
  0013fb4d 42424242 42424242 42424242 42424242 0x42424242
  0013fb51 42424242 42424242 42424242 42424242 0x42424242
  0013fb55 42424242 42424242 42424242 42424242 0x42424242
  0013fb59 42424242 42424242 42424242 42424242 0x42424242
  0013fb5d 42424242 42424242 42424242 42424242 0x42424242
  0013fb61 42424242 42424242 42424242 42424242 0x42424242
  0013fb65 42424242 42424242 42424242 42424242 0x42424242
  0013fb69 42424242 42424242 42424242 42424242 0x42424242
  0013fb6d 42424242 42424242 42424242 42424242 0x42424242
  0013fb71 42424242 42424242 42424242 42424242 0x42424242
  0013fb75 42424242 42424242 42424242 42424242 0x42424242
  0013fb79 42424242 42424242 42424242 42424242 0x42424242
  0013fb7d 42424242 42424242 42424242 42424242 0x42424242
  0013fb81 42424242 42424242 42424242 42424242 0x42424242
  0013fb85 42424242 42424242 42424242 42424242 0x42424242
  0013fb89 42424242 42424242 42424242 42424242 0x42424242
  0013fb8d 42424242 42424242 42424242 42424242 0x42424242
  0013fb91 42424242 42424242 42424242 42424242 0x42424242
  0013fb95 42424242 42424242 42424242 42424242 0x42424242
  0013fb99 42424242 42424242 42424242 42424242 0x42424242
  0013fb9d 42424242 42424242 42424242 42424242 0x42424242
  0013fba1 42424242 42424242 42424242 42424242 0x42424242
  0013fba5 42424242 42424242 42424242 42424242 0x42424242
  0013fba9 42424242 42424242 42424242 42424242 0x42424242
  0013fbad 42424242 42424242 42424242 42424242 0x42424242
  0013fbb1 42424242 42424242 42424242 42424242 0x42424242
  0013fbb5 42424242 42424242 42424242 42424242 0x42424242
  0013fbb9 42424242 42424242 42424242 42424242 0x42424242
  0013fbbd 42424242 42424242 42424242 42424242 0x42424242
  0013fbc1 42424242 42424242 42424242 42424242 0x42424242
  0013fbc5 42424242 42424242 42424242 42424242 0x42424242
  0013fbc9 42424242 42424242 42424242 42424242 0x42424242
  0013fbcd 42424242 42424242 42424242 42424242 0x42424242
  0013fbd1 42424242 42424242 42424242 42424242 0x42424242
  0013fbd5 42424242 42424242 42424242 42424242 0x42424242
  0013fbd9 42424242 42424242 42424242 42424242 0x42424242
  0013fbdd 42424242 42424242 42424242 42424242 0x42424242
  0013fbe1 42424242 42424242 42424242 42424242 0x42424242
  0013fbe5 42424242 42424242 42424242 42424242 0x42424242
  0013fbe9 42424242 42424242 42424242 42424242 0x42424242
  0013fbed 42424242 42424242 42424242 42424242 0x42424242
  0013fbf1 42424242 42424242 42424242 42424242 0x42424242
  0013fbf5 42424242 42424242 42424242 42424242 0x42424242
  0013fbf9 42424242 42424242 42424242 42424242 0x42424242
  0013fbfd 42424242 42424242 42424242 42424242 0x42424242
  0013fc01 42424242 42424242 42424242 42424242 0x42424242
  0013fc05 42424242 42424242 42424242 42424242 0x42424242
  0013fc09 42424242 42424242 42424242 42424242 0x42424242
  0013fc0d 42424242 42424242 42424242 42424242 0x42424242
  0013fc11 42424242 42424242 42424242 42424242 0x42424242
  0013fc15 42424242 42424242 42424242 42424242 0x42424242
  0013fc19 42424242 42424242 42424242 42424242 0x42424242
  0013fc1d 42424242 42424242 42424242 42424242 0x42424242
  0013fc21 42424242 42424242 42424242 42424242 0x42424242
  0013fc25 42424242 42424242 42424242 42424242 0x42424242
  0013fc29 42424242 42424242 42424242 42424242 0x42424242
  0013fc2d 42424242 42424242 42424242 42424242 0x42424242
  0013fc31 42424242 42424242 42424242 42424242 0x42424242
  0013fc35 42424242 42424242 42424242 42424242 0x42424242
  0013fc39 42424242 42424242 42424242 42424242 0x42424242
  0013fc3d 42424242 42424242 42424242 42424242 0x42424242
  0013fc41 42424242 42424242 42424242 42424242 0x42424242
  0013fc45 42424242 42424242 42424242 42424242 0x42424242
  0013fc49 42424242 42424242 42424242 42424242 0x42424242
  0013fc4d 42424242 42424242 42424242 42424242 0x42424242
  0013fc51 42424242 42424242 42424242 42424242 0x42424242
  0013fc55 42424242 42424242 42424242 42424242 0x42424242
  0013fc59 42424242 42424242 42424242 42424242 0x42424242
  0013fc5d 42424242 42424242 42424242 42424242 0x42424242
  0013fc61 42424242 42424242 42424242 42424242 0x42424242
  0013fc65 42424242 42424242 42424242 42424242 0x42424242
  0013fc69 42424242 42424242 42424242 42424242 0x42424242
  0013fc6d 42424242 42424242 42424242 42424242 0x42424242
  0013fc71 42424242 42424242 42424242 42424242 0x42424242
  0013fc75 42424242 42424242 42424242 42424242 0x42424242
  0013fc79 42424242 42424242 42424242 42424242 0x42424242
  0013fc7d 42424242 42424242 42424242 42424242 0x42424242
  0013fc81 42424242 42424242 42424242 42424242 0x42424242
  0013fc85 42424242 42424242 42424242 42424242 0x42424242
  0013fc89 42424242 42424242 42424242 42424242 0x42424242
  0013fc8d 42424242 42424242 42424242 42424242 0x42424242
  0013fc91 42424242 42424242 42424242 42424242 0x42424242
  0013fc95 42424242 42424242 42424242 42424242 0x42424242
  0013fc99 42424242 42424242 42424242 42424242 0x42424242
  0013fc9d 42424242 42424242 42424242 42424242 0x42424242
  0013fca1 42424242 42424242 42424242 42424242 0x42424242
  0013fca5 42424242 42424242 42424242 42424242 0x42424242
  0013fca9 42424242 42424242 42424242 42424242 0x42424242
  0013fcad 42424242 42424242 42424242 42424242 0x42424242
  0013fcb1 42424242 42424242 42424242 42424242 0x42424242
  0013fcb5 42424242 42424242 42424242 42424242 0x42424242
  0013fcb9 42424242 42424242 42424242 42424242 0x42424242
  0013fcbd 42424242 42424242 42424242 42424242 0x42424242
  0013fcc1 42424242 42424242 42424242 42424242 0x42424242
  0013fcc5 42424242 42424242 42424242 42424242 0x42424242
  0013fcc9 42424242 42424242 42424242 42424242 0x42424242
  0013fccd 42424242 42424242 42424242 43000042 0x42424242
  0013fcd1 42424242 42424242 43000042 73555c3a 0x42424242
  0013fcd5 42424242 43000042 73555c3a 5c737265 0x42424242
  0013fcd9 43000042 73555c3a 5c737265 6272656a 0x42424242
  0013fcdd 73555c3a 5c737265 6272656a 6e776f72 0x43000042
  0013fce1 5c737265 6272656a 6e776f72 4445522e 0x73555c3a
  0013fce5 6272656a 6e776f72 4445522e 444e4f4d 0x5c737265
  0013fce9 6e776f72 4445522e 444e4f4d 7365445c 0x6272656a
  0013fced 4445522e 444e4f4d 7365445c 706f746b 0x6e776f72
  0013fcf1 444e4f4d 7365445c 706f746b 7065725c 0x4445522e
  0013fcf5 7365445c 706f746b 7065725c 2e326f72 0x444e4f4d
  0013fcf9 706f746b 7065725c 2e326f72 63727862 0x7365445c
  0013fcfd 7065725c 2e326f72 63727862 0000313a 0x706f746b
  0013fd01 2e326f72 63727862 0000313a 04043c00 0x7065725c
  0013fd05 63727862 0000313a 04043c00 00000000 0x2e326f72
  0013fd09 00000000 04043c00 00000000 28000000 0x63727862

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bochs/+bug/1313194/+subscriptions