Bugzilla – Bug 1068
Guest root can escape to domain 0 through grub.conf and pygrub
Last modified: 2007-10-04 03:18:03 CDT
When booting a guest domain, pygrub uses Python exec() statements to process
untrusted data from grub.conf. By crafting a grub.conf file, the root user in a
guest domain can trigger execution of arbitrary Python code in domain 0.
The offending code is in tools/pygrub/src/GrubConf.py, in lines such as
exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))
This can be exploited from a guest domain, for example by modifying
/boot/grub/grub.conf and changing the 'default' statement into something like
default "+str(0*os.system(" insert evil command here "))+"
On the next boot of the guest domain, the evil command will execute in domain
Fixed on 25th September by xen-unstable 15953:70bb28b.