From mboxrd@z Thu Jan  1 00:00:00 1970
From: James Courtier-Dutton <James@superbug.co.uk>
Subject: Possible exploit potential in dosemu.
Date: Thu, 19 Oct 2006 12:27:02 +0100
Message-ID: <45376106.3040104@superbug.co.uk>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <linux-msdos-owner@vger.kernel.org>
Sender: linux-msdos-owner@vger.kernel.org
List-Id: <linux-msdos.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"
To: linux-msdos@vger.kernel.org

The dosemu binary has a rwx stack segment, so this means that
instructions can be placed on the stack and executed.
This makes it a lot easier to exploit than in the stack was rw-

This is detected with the following tool:

/src/dosemu-1.3.3 $ scanelf -Req *
RWX --- ---  1.3.3.0/bin/dosemu.bin
!WX --- ---  src/env/video/remap_asm.o
!WX --- ---  src/env/video/vesabios_pm.o


What this means is that the dosemu.bin file is RWX stack.
The source objects src/env/video/remap_asm.o and
src/env/video/vesabios_pm.o cause this.

Please refer to the following URL for an explanation.
http://www.gentoo.org/proj/en/hardened/gnu-stack.xml

I think option (3) is the cause, and can be fixed by adding the
following to the end of the two source files:

#ifdef __ELF__
.section .note.GNU-stack,"",%progbits
#endif

This will indicate to the gnu assembler that an executable stack is not
required.

I hope this helps

Kind Regards

James