Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18638
HistoryDec 13, 2007 - 12:00 a.m.

Filesystem access in DOSBox 0.72

2007-12-1300:00:00
vulners.com
17
JSON

#######################################################################

                         Luigi Auriemma

Application: DOSBox
http://dosbox.sourceforge.net
Versions: <= 0.72 and current CVS
Platforms: Windows, Linux, *BSD and Mac
Bug: access to the filesystem
Exploitation: local
Date: 10 Dec 2007
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

DOSBox is an excellent emulator for running software written for the
DOS environment like programs and games (moreover abandonware games
which are very used today).

#######################################################################

======
2) Bug

DOSBox acts as a virtual machine in which the filesystem is limited to
the folders that the user decides to mount as virtual drives and any
instruction is emulated within DOSBox without accessing the external
resources and memory.
So practically the emulated DOS program can work only inside this
"cage" (that's also why is possible to run viruses and malware without
problems for the system).

Anyway although these limitations exists a very simple way to gain
access to the entire real filesystem (so not only the virtual one)
because the MOUNT command used by DOSBox for mounting the real folders
as virtual drives can be called just by the same emulated program.

In short if the program executes system("mount x c:\"); it gains
read/write access to the C: disk where is then possible to modify
all the files on which the user has access (like for example placing
the execution of a program at the next reboot or substituiting a valid
executable with a custom one).

MOUNT is not the only DOSBox related command available (check the Z:
disk) but is the only one which has a real security impact if executed.

#######################################################################

===========
3) The Code

http://aluigi.org/poc/dosboxxx.zip

#######################################################################

======
4) Fix

The developers don't think this can be considered a security problem
while in my opinion doing something outside the environment created by
the virtual machine must be considered a risk.

#######################################################################

Luigi Auriemma
http://aluigi.org

JSON