Also there was a security reported and fixed in xen unstable (CVE-2007-4993). I
just looked inside Solaris xVM and it seems that it hasn't been patched in
build 75 (one month later!). I still have to test if this code is actually
used. This is the link to the patch:
http://xenbits.xensource.com/xen-3.1-testing.hg?rev/e441bb07066c;style=rev%3DCVE
.
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068
When booting a guest domain, pygrub uses Python exec() statements to process
untrusted data from grub.conf. By crafting a grub.conf file, the root user in a
guest domain can trigger execution of arbitrary Python code in domain 0.
The offending code is in tools/pygrub/src/GrubConf.py, in lines such as
exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))
This can be exploited from a guest domain, for example by modifying
/boot/grub/grub.conf and changing the 'default' statement into something like
default "+str(0*os.system(" insert evil command here "))+"
On the next boot of the guest domain, the evil command will execute in domain
0.
This message posted from opensolaris.org
|
Try Searching:
servers, voip, java, networking, microsoft ...
|
|
|
| 
