[Pkg-xen-devel] [holtmann@redhat.com: Re: [vendor-sec] CVE-2007-0998 HVM guest VNC server allows to compromise host]

Moritz Muehlenhoff jmm at inutil.org
Fri Apr 6 17:35:54 UTC 2007


Hi,
does this affect Debian's xen package?

Cheers,
        Moritz


----- Forwarded message from Marcel Holtmann <holtmann at redhat.com> -----

Subject: Re: [vendor-sec] CVE-2007-0998 HVM guest VNC server allows to
	compromise host
From: Marcel Holtmann <holtmann at redhat.com>
Date: Wed, 14 Mar 2007 17:26:05 +0100

Hi Moritz,

> > a few months back, the VNC server code in QEMU was extended in upstream,
> > adding the 'feature' of monitor access by using Ctrl+Alt+2. The monitor
> > allows you to do such fun commands such as changing the CDROM backing
> > file. Of course there's no validation on what files you map to the CDROM
> > device and the QEMU instances for Xen run as root.
> > 
> > If you have a fullyvirtualized guest VM running the VNC server, then any
> > user with access to the VNC server can happily enter a monitor command
> > such as
> > 
> >   'change cdrom /etc/passwd'. 
> > 
> > Which will map the /etc/passwd file through to the guest VM as /dev/hdc,
> > read-write. So, aforementioned VNC console user can now login to the
> > guest OS, and by writing to /dev/hdc in the guest, change
> > the /etc/passwd file in the host. This is most certianly not what the
> > host administrator expects when giving access to a guest VM's VNC
> > console.
> > 
> > We assigned CVE-2007-0998 to this issue.
> 
> Thanks, can we consider this public?

yes, it is public. You can find our Bugzilla here:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=230295

Regards

Marcel


_______________________________________________
Vendor Security mailing list
Vendor Security at lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec


----- End forwarded message -----



More information about the Pkg-xen-devel mailing list