Security hole in Xen
A vulnerability has been detected in the Xen virtualisation software that can be exploited by users with root privileges in a guest domain to execute arbitrary commands in domain 0. The problem results from a bug in the tools/pygrub/src/GrubConf.py script, which reads data from the configuration of the Grub boot manager (boot/grub/grub.conf) and tries to set parameters by using the exec command without proper sanitation. During the next reboot, a manipulated configuration file may be used to pass commands to the shell via the script running in domain 0 and to trigger execution. Joris van Rantwijk has published a sample exploit in his Bugzilla entry on Xensource.com to demonstrate the vulnerability:
default "+str(0*os.system(" insert evil command here "))+"
The flaw was detected in Xen 3.0.3; other versions might also be affected. No update has been provided yet. Xen is a component of most Linux distributions and the basis of the commercial variants XenSource and Virtual Iron.
- Guest root can escape to domain 0 through grub.conf and pygrub, advisory by Joris van Rantwijk
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
