Xen 		  
Home Products Support Community News
 
   
First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 1068
Product:  
Component:  
Status: RESOLVED
Resolution: FIXED
Assigned To: Xen Bug List <xen-bugs@lists.xensource.com>
Hardware:  
OS:  
Version:  
Priority:  
Severity:  
Reporter: Joris van Rantwijk <jorispubl@xs4all.nl>
Add CC:
CC:
Remove selected CCs
URL:
Summary:

Attachment Type Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 1068 depends on: Show dependency tree
Show dependency graph
Bug 1068 blocks:

Additional Comments:







View Bug Activity   |   Format For Printing   |   Clone This Bug

Description:   Opened: 2007-09-22 15:11 
When booting a guest domain, pygrub uses Python exec() statements to process
untrusted data from grub.conf. By crafting a grub.conf file, the root user in a
guest domain can trigger execution of arbitrary Python code in domain 0.

The offending code is in tools/pygrub/src/GrubConf.py, in lines such as

  exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))

This can be exploited from a guest domain, for example by modifying
/boot/grub/grub.conf and changing the 'default' statement into something like

  default "+str(0*os.system(" insert evil command here "))+"

On the next boot of the guest domain, the evil command will execute in domain
0.

------- Comment #1 From mjc@redhat.com 2007-09-24 02:07 ------- 
CVE-2007-4993

------- Comment #2 From Keir Fraser 2007-10-04 03:18 ------- 
Fixed on 25th September by xen-unstable 15953:70bb28b.
First Last Prev Next    No search results available      Search page      Enter new bug
 
   

Copyright , Citrix Systems, Inc. All rights reserved. Legal and Privacy