Bug 302801 (CVE-2007-4993)

Summary: CVE-2007-4993 xen guest root can escape to domain 0 through pygrub
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kreilly, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 16:46:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 302821, 302831    
Bug Blocks:    

Description Mark J. Cox 2007-09-24 09:06:33 UTC 
Reported to security but was also entered into public bz at
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068

...
Pygrub is a Xen utility which emulates the Grub bootloader
such that boot parameters of a guest domain can be configured
from inside that guest domain. Pygrub is distributed with Xen.

When booting a guest domain, pygrub uses Python exec() statements
to process untrusted data from grub.conf.  By crafting a grub.conf
file, the root user in a guest domain can trigger execution of
arbitrary Python code in domain 0.

The offending code is in xen/tools/pygrub/src/GrubConf.py, in lines
such as

  exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))

This can be exploited from within a guest domain, for example by
modifying /boot/grub/grub.conf and changing the 'default' statement
into something like

  default "+str(0*os.system(" insert evil command here "))+"

On the next boot of the guest domain, the evil command will execute
in domain 0.

Whether this is a security problem depends on how Xen is used.
It definitely is a problem in the case where pygrub is used to boot
a guest domain while system administration of that guest domain
is delegated to an untrusted party.
...