####################################################################### Luigi Auriemma Application: DOSBox http://dosbox.sourceforge.net Versions: <= 0.72 and current CVS Platforms: Windows, Linux, *BSD and Mac Bug: access to the filesystem Exploitation: local Date: 10 Dec 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== DOSBox is an excellent emulator for running software written for the DOS environment like programs and games (moreover abandonware games which are very used today). ####################################################################### ====== 2) Bug ====== DOSBox acts as a virtual machine in which the filesystem is limited to the folders that the user decides to mount as virtual drives and any instruction is emulated within DOSBox without accessing the external resources and memory. So practically the emulated DOS program can work only inside this "cage" (that's also why is possible to run viruses and malware without problems for the system). Anyway although these limitations exists a very simple way to gain access to the entire real filesystem (so not only the virtual one) because the MOUNT command used by DOSBox for mounting the real folders as virtual drives can be called just by the same emulated program. In short if the program executes system("mount x c:\\"); it gains read/write access to the C: disk where is then possible to modify all the files on which the user has access (like for example placing the execution of a program at the next reboot or substituiting a valid executable with a custom one). MOUNT is not the only DOSBox related command available (check the Z: disk) but is the only one which has a real security impact if executed. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/dosboxxx.zip ####################################################################### ====== 4) Fix ====== The developers don't think this can be considered a security problem while in my opinion doing something outside the environment created by the virtual machine must be considered a risk. #######################################################################