Red Hat Bugzilla – Bug 302801
CVE-2007-4993 xen guest root can escape to domain 0 through pygrub
Last modified: 2015-08-22 12:46:04 EDT
Reported to email@example.com but was also entered into public bz at
Pygrub is a Xen utility which emulates the Grub bootloader
such that boot parameters of a guest domain can be configured
from inside that guest domain. Pygrub is distributed with Xen.
When booting a guest domain, pygrub uses Python exec() statements
to process untrusted data from grub.conf. By crafting a grub.conf
file, the root user in a guest domain can trigger execution of
arbitrary Python code in domain 0.
The offending code is in xen/tools/pygrub/src/GrubConf.py, in lines
exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))
This can be exploited from within a guest domain, for example by
modifying /boot/grub/grub.conf and changing the 'default' statement
into something like
default "+str(0*os.system(" insert evil command here "))+"
On the next boot of the guest domain, the evil command will execute
in domain 0.
Whether this is a security problem depends on how Xen is used.
It definitely is a problem in the case where pygrub is used to boot
a guest domain while system administration of that guest domain
is delegated to an untrusted party.