/bugzilla3/ Bug 1068 – Guest root can escape to domain 0 through grub.conf and pygrub
Bug 1068 - Guest root can escape to domain 0 through grub.conf and pygrub
: Guest root can escape to domain 0 through grub.conf and pygrub
Status: RESOLVED FIXED
Product: Xen
Tools
: 3.0.3
: All Linux
: P2 major
Assigned To: Xen Bug List
:
:
:
  Show dependency treegraph
 
Reported: 2007-09-22 15:11 CDT by Joris van Rantwijk
Modified: 2007-10-04 03:18 CDT (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Joris van Rantwijk 2007-09-22 15:11:41 CDT
When booting a guest domain, pygrub uses Python exec() statements to process
untrusted data from grub.conf. By crafting a grub.conf file, the root user in a
guest domain can trigger execution of arbitrary Python code in domain 0.

The offending code is in tools/pygrub/src/GrubConf.py, in lines such as

  exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))

This can be exploited from a guest domain, for example by modifying
/boot/grub/grub.conf and changing the 'default' statement into something like

  default "+str(0*os.system(" insert evil command here "))+"

On the next boot of the guest domain, the evil command will execute in domain
0.
Comment 1 mjc 2007-09-24 02:07:34 CDT
CVE-2007-4993
Comment 2 Keir Fraser 2007-10-04 03:18:03 CDT
Fixed on 25th September by xen-unstable 15953:70bb28b.