Ubuntu
xen-3.0 package

Guest root can escape to domain 0 through grub.conf and pygrub

Bug #149127 reported by TiagoMacambira
252
Affects Status Importance Assigned to Milestone
xen
Fix Released
High
Fedora
Fix Released
High
xen-3.0 (Ubuntu)
Fix Released
Undecided
Kees Cook

Bug Description

Reported to <email address hidden> but was also entered into public bz at
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068

...
Pygrub is a Xen utility which emulates the Grub bootloader
such that boot parameters of a guest domain can be configured
from inside that guest domain. Pygrub is distributed with Xen.

When booting a guest domain, pygrub uses Python exec() statements
to process untrusted data from grub.conf. By crafting a grub.conf
file, the root user in a guest domain can trigger execution of
arbitrary Python code in domain 0.

The offending code is in xen/tools/pygrub/src/GrubConf.py, in lines
such as

  exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))

This can be exploited from within a guest domain, for example by
modifying /boot/grub/grub.conf and changing the 'default' statement
into something like

  default "+str(0*os.system(" insert evil command here "))+"

On the next boot of the guest domain, the evil command will execute
in domain 0.

Whether this is a security problem depends on how Xen is used.
It definitely is a problem in the case where pygrub is used to boot
a guest domain while system administration of that guest domain
is delegated to an untrusted party.
...

Revision history for this message
In , Mark (mark-redhat-bugs) wrote :

Reported to <email address hidden> but was also entered into public bz at
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068

...
Pygrub is a Xen utility which emulates the Grub bootloader
such that boot parameters of a guest domain can be configured
from inside that guest domain. Pygrub is distributed with Xen.

When booting a guest domain, pygrub uses Python exec() statements
to process untrusted data from grub.conf. By crafting a grub.conf
file, the root user in a guest domain can trigger execution of
arbitrary Python code in domain 0.

The offending code is in xen/tools/pygrub/src/GrubConf.py, in lines
such as

  exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))

This can be exploited from within a guest domain, for example by
modifying /boot/grub/grub.conf and changing the 'default' statement
into something like

  default "+str(0*os.system(" insert evil command here "))+"

On the next boot of the guest domain, the evil command will execute
in domain 0.

Whether this is a security problem depends on how Xen is used.
It definitely is a problem in the case where pygrub is used to boot
a guest domain while system administration of that guest domain
is delegated to an untrusted party.
...

Revision history for this message
TiagoMacambira (macambira) wrote :

For mor information on this bug see http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068
https://bugzilla.redhat.com/show_bug.cgi?id=302801

A fix was already submited and can be seen on
http://lxr.xensource.com/lxr/source/tools/pygrub/src/GrubConf.py#L104 and

Revision history for this message
TiagoMacambira (macambira) wrote :
Christian Reis (kiko)
Changed in xen:
importance: Undecided → Unknown
status: New → Unknown
Revision history for this message
Kees Cook (kees) wrote :

Thanks for this report! This issue was solved with USN-527-1:

http://www.ubuntu.com/usn/usn-527-1

Changed in xen-3.0:
assignee: nobody → keescook
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in xen:
status: Unknown → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in xen:
importance: Unknown → High
Bug Watch Updater (bug-watch-updater)
Changed in fedora:
importance: Unknown → High
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.