Security hole in Xen
A vulnerability has been detected in the Xen virtualisation software that can be exploited by users with root privileges in a guest domain to execute arbitrary commands in domain 0. The problem results from a bug in the tools/pygrub/src/GrubConf.py script, which reads data from the configuration of the Grub boot manager (boot/grub/grub.conf) and tries to set parameters by using the exec command without proper sanitation. During the next reboot, a manipulated configuration file may be used to pass commands to the shell via the script running in domain 0 and to trigger execution. Joris van Rantwijk has published a sample exploit in his Bugzilla entry on Xensource.com to demonstrate the vulnerability:
default "+str(0*os.system(" insert evil command here "))+"
The flaw was detected in Xen 3.0.3; other versions might also be affected. No update has been provided yet. Xen is a component of most Linux distributions and the basis of the commercial variants XenSource and Virtual Iron.
- Guest root can escape to domain 0 through grub.conf and pygrub, advisory by Joris van Rantwijk
(mba)