Bug 302801 - (CVE-2007-4993) CVE-2007-4993 xen guest root can escape to domain 0 through pygrub
CVE-2007-4993 xen guest root can escape to domain 0 through pygrub
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
reported=20070923,source=secalert,pub...
: Security
Depends On: 302821 302831
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-24 05:06 EDT by Mark J. Cox (Product Security)
Modified: 2015-08-22 12:46 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 12:46:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2007-09-24 05:06:33 EDT
Reported to security@redhat.com but was also entered into public bz at
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068

...
Pygrub is a Xen utility which emulates the Grub bootloader
such that boot parameters of a guest domain can be configured
from inside that guest domain. Pygrub is distributed with Xen.

When booting a guest domain, pygrub uses Python exec() statements
to process untrusted data from grub.conf.  By crafting a grub.conf
file, the root user in a guest domain can trigger execution of
arbitrary Python code in domain 0.

The offending code is in xen/tools/pygrub/src/GrubConf.py, in lines
such as

  exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))

This can be exploited from within a guest domain, for example by
modifying /boot/grub/grub.conf and changing the 'default' statement
into something like

  default "+str(0*os.system(" insert evil command here "))+"

On the next boot of the guest domain, the evil command will execute
in domain 0.

Whether this is a security problem depends on how Xen is used.
It definitely is a problem in the case where pygrub is used to boot
a guest domain while system administration of that guest domain
is delegated to an untrusted party.
...

Note You need to log in before you can comment on or make changes to this bug.