WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-bugs

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-bugs] [Bug 1068] New: Guest root can escape to domain 0 through gru

from [bugzilla-daemon] [Permanent Link][Original]
To: xen-bugs@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-bugs] [Bug 1068] New: Guest root can escape to domain 0 through grub.conf and pygrub
From: bugzilla-daemon@xxxxxxxxxxxxxxxxxxx
Date: Sat, 22 Sep 2007 15:11:41 -0700
Delivery-date: Sat, 22 Sep 2007 15:12:06 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-bugs-request@lists.xensource.com?subject=help>
List-id: Xen Bugzilla <xen-bugs.lists.xensource.com>
List-post: <mailto:xen-bugs@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=unsubscribe>
Reply-to: bugs@xxxxxxxxxxxxxxxxxx
Sender: xen-bugs-bounces@xxxxxxxxxxxxxxxxxxx 
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068

           Summary: Guest root can escape to domain 0 through grub.conf and
                    pygrub
           Product: Xen
           Version: 3.0.3
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: Tools
        AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
        ReportedBy: jorispubl@xxxxxxxxx


When booting a guest domain, pygrub uses Python exec() statements to process
untrusted data from grub.conf. By crafting a grub.conf file, the root user in a
guest domain can trigger execution of arbitrary Python code in domain 0.

The offending code is in tools/pygrub/src/GrubConf.py, in lines such as

  exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))

This can be exploited from a guest domain, for example by modifying
/boot/grub/grub.conf and changing the 'default' statement into something like

  default "+str(0*os.system(" insert evil command here "))+"

On the next boot of the guest domain, the evil command will execute in domain
0.


-- 
Configure bugmail: 
http://bugzilla.xensource.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

_______________________________________________
Xen-bugs mailing list
Xen-bugs@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-bugs
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-bugs] [Bug 1058] Xen failing to boot under Debian Etch. (FATAL TRAP), bugzilla-daemon
Next by Date:  [Xen-bugs] [Bug 1068] Guest root can escape to domain 0 through grub.conf and pygrub, bugzilla-daemon
Previous by Thread:  [Xen-bugs] [Bug 1067] New: Hibernate does not work in dom0, bugzilla-daemon
Next by Thread:  [Xen-bugs] [Bug 1068] Guest root can escape to domain 0 through grub.conf and pygrub, bugzilla-daemon
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy