Guest root can escape to domain 0 through grub.conf and pygrub
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
xen |
Fix Released
|
High
|
|||
Fedora |
Fix Released
|
High
|
|||
xen-3.0 (Ubuntu) |
Fix Released
|
Undecided
|
Kees Cook |
Bug Description
Reported to <email address hidden> but was also entered into public bz at
http://
...
Pygrub is a Xen utility which emulates the Grub bootloader
such that boot parameters of a guest domain can be configured
from inside that guest domain. Pygrub is distributed with Xen.
When booting a guest domain, pygrub uses Python exec() statements
to process untrusted data from grub.conf. By crafting a grub.conf
file, the root user in a guest domain can trigger execution of
arbitrary Python code in domain 0.
The offending code is in xen/tools/
such as
exec("%s = r\"%s\"" %(self.
This can be exploited from within a guest domain, for example by
modifying /boot/grub/
into something like
default "+str(0*os.system(" insert evil command here "))+"
On the next boot of the guest domain, the evil command will execute
in domain 0.
Whether this is a security problem depends on how Xen is used.
It definitely is a problem in the case where pygrub is used to boot
a guest domain while system administration of that guest domain
is delegated to an untrusted party.
...
Changed in xen: | |
importance: | Undecided → Unknown |
status: | New → Unknown |
Changed in xen: | |
status: | Unknown → Fix Released |
Changed in xen: | |
importance: | Unknown → High |
Changed in fedora: | |
importance: | Unknown → High |
status: | Fix Committed → Fix Released |
Reported to <email address hidden> but was also entered into public bz at bugzilla. xensource. com/bugzilla/ show_bug. cgi?id= 1068
http://
...
Pygrub is a Xen utility which emulates the Grub bootloader
such that boot parameters of a guest domain can be configured
from inside that guest domain. Pygrub is distributed with Xen.
When booting a guest domain, pygrub uses Python exec() statements
to process untrusted data from grub.conf. By crafting a grub.conf
file, the root user in a guest domain can trigger execution of
arbitrary Python code in domain 0.
The offending code is in xen/tools/ pygrub/ src/GrubConf. py, in lines
such as
exec("%s = r\"%s\"" %(self. commands[ com], arg.strip()))
This can be exploited from within a guest domain, for example by grub.conf and changing the 'default' statement
modifying /boot/grub/
into something like
default "+str(0*os.system(" insert evil command here "))+"
On the next boot of the guest domain, the evil command will execute
in domain 0.
Whether this is a security problem depends on how Xen is used.
It definitely is a problem in the case where pygrub is used to boot
a guest domain while system administration of that guest domain
is delegated to an untrusted party.
...