From: "Daniel P. Berrange" <berrange@redhat.com>
To: xen-devel@lists.xensource.com
Subject: PATCH: CVE-2007-0998: Remove access to QEMU monitor in VNC server
Date: Mon, 19 Mar 2007 20:25:28 +0000 [thread overview]
Message-ID: <20070319202528.GI17442@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2612 bytes --]
This patch fixes a security issue present in any Xen 3.0.3 or later when
the VNC server is enabled for a HVM guest.
cf CVE-2007-0998 / the RHEL-5 security errata:
http://rhn.redhat.com/errata/RHSA-2007-0114.html
The VNC server for HVM guests allows the VNC client to press Ctrl+Alt+2
to switch into the QEMU monitor console. From there a user can map an
arbitrary file from the Dom0 host through to the guest as a cdrom device.
This file is mapped with full read-write privileges to writes to /dev/hdc
in the guest will change the file in the underlying Dom0 host.
So since qemu-dm processes run as root on Dom0, any unprivileged user with
access to a VNC console for a HVM guest can compromise the Dom0 OS. The VNC
password protection offers minimal against this problem since it is trivially
brute forced, although at least XenD is setup to restrict VNC to 127.0.0.1
out of the box. So it is a local-root exploit in out of box config, but is
potentially a remote-root exploit if the admin changed VNC to listen on the
public IP address.
There is no compelling reason to provide access to the QEMU monitor console.
The XenD APIs already allow a user to determine config of a guest VM. The
often quoted use case is to allow changing of the CDROM backing file during
guest installs. This can already be done by root using xenstore-write to
change the file associated with the VDB in xenstore, so QEMU monitor access
is not actually needed. Long term I anticipate XenD itself will have to
take ownership of the QEMU monitor console connection, since upstream QEMU
is increasingly providing monitor commands as the primary way for management
tools to control the VM on the fly.
The attached patch disables the key code handling the magic Ctrl+Alt+2
sequence used to activate the monitor. The code is now only enabled if
the top level Xen Makefile variable 'debug' is set to 'y' - it defaults
to 'n' to regular production builds will remove access to the QEMU monitor,
while developers can still access if required for debugging purposes.
This is effectively disabling the code added in changeset:
10742:3e07ec30c44538e7ea55b0da2cb2624036481fc3
Along with a few other minor alteratiosn to the added code.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Regards,
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
[-- Attachment #2: xen-vnc-monitor-export.patch --]
[-- Type: text/plain, Size: 1513 bytes --]
diff -r f40bd358129a tools/ioemu/Makefile.target
--- a/tools/ioemu/Makefile.target Sat Mar 17 16:56:39 2007 +0000
+++ b/tools/ioemu/Makefile.target Mon Mar 19 14:13:35 2007 -0400
@@ -193,6 +193,10 @@ LIBS+=-lsocket -lnsl -lresolv
LIBS+=-lsocket -lnsl -lresolv
endif
+ifeq ($(debug),y)
+CFLAGS += -DQEMU_VNC_MONITOR_EXPORT
+endif
+
# profiling code
ifdef TARGET_GPROF
LDFLAGS+=-p
diff -r f40bd358129a tools/ioemu/vnc.c
--- a/tools/ioemu/vnc.c Sat Mar 17 16:56:39 2007 +0000
+++ b/tools/ioemu/vnc.c Mon Mar 19 14:54:19 2007 -0400
@@ -113,8 +113,10 @@ struct VncState
int visible_w;
int visible_h;
+#ifdef QEMU_VNC_MONITOR_EXPORT
int ctl_keys; /* Ctrl+Alt starts calibration */
int shift_keys; /* Shift / CapsLock keys */
+#endif
int numlock;
};
@@ -895,6 +897,7 @@ static void do_key_event(VncState *vs, i
kbd_put_keycode(keycode & 0x7f);
else
kbd_put_keycode(keycode | 0x80);
+#ifdef QEMU_VNC_MONITOR_EXPORT
} else if (down) {
int qemu_keysym = 0;
@@ -922,8 +925,10 @@ static void do_key_event(VncState *vs, i
}
if (qemu_keysym != 0)
kbd_put_keysym(qemu_keysym);
- }
-
+#endif
+ }
+
+#ifdef QEMU_VNC_MONITOR_EXPORT
if (down) {
switch (sym) {
case XK_Control_L:
@@ -976,6 +981,10 @@ static void do_key_event(VncState *vs, i
break;
}
}
+#else
+ if (!down && sym == XK_Num_Lock)
+ vs->numlock = !vs->numlock;
+#endif
}
static void key_event(VncState *vs, int down, uint32_t sym)
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
next reply other threads:[~2007-03-19 20:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-19 20:25 Daniel P. Berrange [this message]
2007-05-18 23:39 ` PATCH: CVE-2007-0998: Remove access to QEMU monitor in VNC server S.Çağlar Onur
2007-05-19 8:23 ` Keir Fraser
2007-05-19 11:48 ` S.Çağlar Onur
2007-05-19 11:52 ` Keir Fraser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070319202528.GI17442@redhat.com \
--to=berrange@redhat.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.