Bug 302801 (CVE-2007-4993) - CVE-2007-4993 xen guest root can escape to domain 0 through pygrub
Summary: CVE-2007-4993 xen guest root can escape to domain 0 through pygrub
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-4993
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 302821 302831
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-24 09:06 UTC by Mark J. Cox
Modified: 2019-09-29 12:21 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 16:46:04 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0323 0 normal SHIPPED_LIVE Important: xen security update 2007-10-02 20:53:38 UTC

Description Mark J. Cox 2007-09-24 09:06:33 UTC
Reported to security but was also entered into public bz at
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068

...
Pygrub is a Xen utility which emulates the Grub bootloader
such that boot parameters of a guest domain can be configured
from inside that guest domain. Pygrub is distributed with Xen.

When booting a guest domain, pygrub uses Python exec() statements
to process untrusted data from grub.conf.  By crafting a grub.conf
file, the root user in a guest domain can trigger execution of
arbitrary Python code in domain 0.

The offending code is in xen/tools/pygrub/src/GrubConf.py, in lines
such as

  exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))

This can be exploited from within a guest domain, for example by
modifying /boot/grub/grub.conf and changing the 'default' statement
into something like

  default "+str(0*os.system(" insert evil command here "))+"

On the next boot of the guest domain, the evil command will execute
in domain 0.

Whether this is a security problem depends on how Xen is used.
It definitely is a problem in the case where pygrub is used to boot
a guest domain while system administration of that guest domain
is delegated to an untrusted party.
...


Note You need to log in before you can comment on or make changes to this bug.