Bug 302801 - (CVE-2007-4993) CVE-2007-4993 xen guest root can escape to domain 0 through pygrub
CVE-2007-4993 xen guest root can escape to domain 0 through pygrub
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 302821 302831
  Show dependency treegraph
Reported: 2007-09-24 05:06 EDT by Mark J. Cox
Modified: 2015-08-22 12:46 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-08-22 12:46:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox 2007-09-24 05:06:33 EDT
Reported to security@redhat.com but was also entered into public bz at

Pygrub is a Xen utility which emulates the Grub bootloader
such that boot parameters of a guest domain can be configured
from inside that guest domain. Pygrub is distributed with Xen.

When booting a guest domain, pygrub uses Python exec() statements
to process untrusted data from grub.conf.  By crafting a grub.conf
file, the root user in a guest domain can trigger execution of
arbitrary Python code in domain 0.

The offending code is in xen/tools/pygrub/src/GrubConf.py, in lines
such as

  exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))

This can be exploited from within a guest domain, for example by
modifying /boot/grub/grub.conf and changing the 'default' statement
into something like

  default "+str(0*os.system(" insert evil command here "))+"

On the next boot of the guest domain, the evil command will execute
in domain 0.

Whether this is a security problem depends on how Xen is used.
It definitely is a problem in the case where pygrub is used to boot
a guest domain while system administration of that guest domain
is delegated to an untrusted party.

Note You need to log in before you can comment on or make changes to this bug.