[Pkg-xen-devel] [holtmann@redhat.com: Re: [vendor-sec]
CVE-2007-0998 HVM guest VNC server allows to compromise host]
Moritz Muehlenhoff
jmm at inutil.org
Fri Apr 6 17:35:54 UTC 2007
Hi,
does this affect Debian's xen package?
Cheers,
Moritz
----- Forwarded message from Marcel Holtmann <holtmann at redhat.com> -----
Subject: Re: [vendor-sec] CVE-2007-0998 HVM guest VNC server allows to
compromise host
From: Marcel Holtmann <holtmann at redhat.com>
Date: Wed, 14 Mar 2007 17:26:05 +0100
Hi Moritz,
> > a few months back, the VNC server code in QEMU was extended in upstream,
> > adding the 'feature' of monitor access by using Ctrl+Alt+2. The monitor
> > allows you to do such fun commands such as changing the CDROM backing
> > file. Of course there's no validation on what files you map to the CDROM
> > device and the QEMU instances for Xen run as root.
> >
> > If you have a fullyvirtualized guest VM running the VNC server, then any
> > user with access to the VNC server can happily enter a monitor command
> > such as
> >
> > 'change cdrom /etc/passwd'.
> >
> > Which will map the /etc/passwd file through to the guest VM as /dev/hdc,
> > read-write. So, aforementioned VNC console user can now login to the
> > guest OS, and by writing to /dev/hdc in the guest, change
> > the /etc/passwd file in the host. This is most certianly not what the
> > host administrator expects when giving access to a guest VM's VNC
> > console.
> >
> > We assigned CVE-2007-0998 to this issue.
>
> Thanks, can we consider this public?
yes, it is public. You can find our Bugzilla here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=230295
Regards
Marcel
_______________________________________________
Vendor Security mailing list
Vendor Security at lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
----- End forwarded message -----
More information about the Pkg-xen-devel
mailing list