|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-bugs] [Bug 1068] New: Guest root can escape to domain 0 through grub.conf and pygrub
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068 Summary: Guest root can escape to domain 0 through grub.conf and pygrub Product: Xen Version: 3.0.3 Platform: All OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: Tools AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx ReportedBy: jorispubl@xxxxxxxxx When booting a guest domain, pygrub uses Python exec() statements to process untrusted data from grub.conf. By crafting a grub.conf file, the root user in a guest domain can trigger execution of arbitrary Python code in domain 0. The offending code is in tools/pygrub/src/GrubConf.py, in lines such as exec("%s = r\"%s\"" %(self.commands[com], arg.strip())) This can be exploited from a guest domain, for example by modifying /boot/grub/grub.conf and changing the 'default' statement into something like default "+str(0*os.system(" insert evil command here "))+" On the next boot of the guest domain, the evil command will execute in domain 0. -- Configure bugmail: http://bugzilla.xensource.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. _______________________________________________ Xen-bugs mailing list Xen-bugs@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-bugs
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |