Launchpad has imported 1 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=302801.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2007-09-24T09:06:33+00:00 Mark wrote: Reported to secur...@redhat.com but was also entered into public bz at http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068 ... Pygrub is a Xen utility which emulates the Grub bootloader such that boot parameters of a guest domain can be configured from inside that guest domain. Pygrub is distributed with Xen. When booting a guest domain, pygrub uses Python exec() statements to process untrusted data from grub.conf. By crafting a grub.conf file, the root user in a guest domain can trigger execution of arbitrary Python code in domain 0. The offending code is in xen/tools/pygrub/src/GrubConf.py, in lines such as exec("%s = r\"%s\"" %(self.commands[com], arg.strip())) This can be exploited from within a guest domain, for example by modifying /boot/grub/grub.conf and changing the 'default' statement into something like default "+str(0*os.system(" insert evil command here "))+" On the next boot of the guest domain, the evil command will execute in domain 0. Whether this is a security problem depends on how Xen is used. It definitely is a problem in the case where pygrub is used to boot a guest domain while system administration of that guest domain is delegated to an untrusted party. ... Reply at: https://bugs.launchpad.net/ubuntu/+source/xen-3.0/+bug/149127/comments/0 ** Changed in: fedora Status: Fix Committed => Fix Released ** Changed in: fedora Importance: Unknown => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/149127 Title: Guest root can escape to domain 0 through grub.conf and pygrub To manage notifications about this bug go to: https://bugs.launchpad.net/xen/+bug/149127/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
