This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-bugs] [Bug 1068] New: Guest root can escape to domain 0 through gru

To: xen-bugs@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-bugs] [Bug 1068] New: Guest root can escape to domain 0 through grub.conf and pygrub
From: bugzilla-daemon@xxxxxxxxxxxxxxxxxxx
Date: Sat, 22 Sep 2007 15:11:41 -0700
Delivery-date: Sat, 22 Sep 2007 15:12:06 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-bugs-request@lists.xensource.com?subject=help>
List-id: Xen Bugzilla <xen-bugs.lists.xensource.com>
List-post: <mailto:xen-bugs@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=unsubscribe>
Reply-to: bugs@xxxxxxxxxxxxxxxxxx
Sender: xen-bugs-bounces@xxxxxxxxxxxxxxxxxxx

           Summary: Guest root can escape to domain 0 through grub.conf and
           Product: Xen
           Version: 3.0.3
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: Tools
        AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
        ReportedBy: jorispubl@xxxxxxxxx

When booting a guest domain, pygrub uses Python exec() statements to process
untrusted data from grub.conf. By crafting a grub.conf file, the root user in a
guest domain can trigger execution of arbitrary Python code in domain 0.

The offending code is in tools/pygrub/src/GrubConf.py, in lines such as

  exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))

This can be exploited from a guest domain, for example by modifying
/boot/grub/grub.conf and changing the 'default' statement into something like

  default "+str(0*os.system(" insert evil command here "))+"

On the next boot of the guest domain, the evil command will execute in domain

Configure bugmail: 
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Xen-bugs mailing list

<Prev in Thread] Current Thread [Next in Thread>