DOS Software Security: Is there Anyone Left to Patch a 25-year old Vulnerability?
2019-10-24, 15:15–16:00, Europe

Abstract. DOS (Disk Operating System) systems were developed in the
1970s and are still used today, for example in some embedded systems,
management applications or by the gaming community. In this article
we will study the impact of the (lack of) security of DOS applications
on modern systems. We will explain in detail the vulnerability of the
CVE-2018-20343 which affects the Build Engine - a 3D engine - and which
allows arbitrary code execution. We show that such vulnerabilities can
be found in seconds using state-of-the-art fuzzers. Often, running a DOS
applications today means running it within an emulator such as DOSBox.
Such emulators should limit the interaction between the DOS application
and the host OS. Unfortunately, we also show how DOSBox directly
allows emulated applications to access the host file system, thus allowing
to compromise the host machine by changing login scripts for instance.
While this kind of attack usually requires a user action (login, reboot, etc.)
to execute the malicious code, we further show, by explaining CVE-2019-12594,
that even immediate arbitrary code execution can be achieved by
bypassing mitigation techniques such as DEP or ASLR. Finally, we will
describe how software vendor are (or not) patching such vulnerabilities
in DOS applications they still sell today.

See also: