From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Daniel P. Berrange" <berrange@redhat.com>
Subject: PATCH: CVE-2007-0998: Remove access to QEMU monitor in
	VNC server
Date: Mon, 19 Mar 2007 20:25:28 +0000
Message-ID: <20070319202528.GI17442@redhat.com>
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="LyciRD1jyfeSSjG0"
Return-path: <xen-devel-bounces@lists.xensource.com>
Content-Disposition: inline
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: xen-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org


--LyciRD1jyfeSSjG0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

This patch fixes a security issue present in any Xen 3.0.3 or later when
the VNC server is enabled for a HVM guest.

cf CVE-2007-0998 / the RHEL-5 security errata:

   http://rhn.redhat.com/errata/RHSA-2007-0114.html

The VNC server for HVM guests allows the VNC client to press Ctrl+Alt+2
to switch into the QEMU monitor console. From there a user can map an
arbitrary file from the Dom0 host through to the guest as a cdrom device.
This file is mapped with full read-write privileges to writes to /dev/hdc
in the guest will change the file in the underlying Dom0 host.

So since qemu-dm processes run as root on Dom0, any unprivileged user with
access to a VNC console for a HVM guest can compromise the Dom0 OS. The VNC
password protection offers minimal against this problem since it is trivially
brute forced, although at least XenD is setup to restrict VNC to 127.0.0.1
out of the box. So it is a local-root exploit in out of box config, but is
potentially a remote-root exploit if the admin changed VNC to listen on the
public IP address.

There is no compelling reason to provide access to the QEMU monitor console.
The XenD APIs already allow a user to determine config of a guest VM. The
often quoted use case is to allow changing of the CDROM backing file during
guest installs. This can already be done by root using xenstore-write to
change the file associated with the VDB in xenstore, so QEMU monitor access
is not actually needed. Long term I anticipate XenD itself will have to 
take ownership of the QEMU monitor console connection, since upstream QEMU 
is increasingly providing monitor commands as the primary way for management 
tools to control the VM on the fly. 

The attached patch disables the key code handling the magic Ctrl+Alt+2
sequence used to activate the monitor. The code is now only enabled if
the top level Xen Makefile variable 'debug' is set to 'y' - it defaults
to 'n' to regular production builds will remove access to the QEMU monitor,
while developers can still access if required for debugging purposes.

This is effectively disabling the code added in changeset:

     10742:3e07ec30c44538e7ea55b0da2cb2624036481fc3

Along with a few other minor alteratiosn to the added code.

 Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

--LyciRD1jyfeSSjG0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="xen-vnc-monitor-export.patch"

diff -r f40bd358129a tools/ioemu/Makefile.target
--- a/tools/ioemu/Makefile.target	Sat Mar 17 16:56:39 2007 +0000
+++ b/tools/ioemu/Makefile.target	Mon Mar 19 14:13:35 2007 -0400
@@ -193,6 +193,10 @@ LIBS+=-lsocket -lnsl -lresolv
 LIBS+=-lsocket -lnsl -lresolv
 endif
 
+ifeq ($(debug),y)
+CFLAGS += -DQEMU_VNC_MONITOR_EXPORT
+endif
+
 # profiling code
 ifdef TARGET_GPROF
 LDFLAGS+=-p
diff -r f40bd358129a tools/ioemu/vnc.c
--- a/tools/ioemu/vnc.c	Sat Mar 17 16:56:39 2007 +0000
+++ b/tools/ioemu/vnc.c	Mon Mar 19 14:54:19 2007 -0400
@@ -113,8 +113,10 @@ struct VncState
     int visible_w;
     int visible_h;
 
+#ifdef QEMU_VNC_MONITOR_EXPORT
     int ctl_keys;               /* Ctrl+Alt starts calibration */
     int shift_keys;             /* Shift / CapsLock keys */
+#endif
     int numlock;
 };
 
@@ -895,6 +897,7 @@ static void do_key_event(VncState *vs, i
 	    kbd_put_keycode(keycode & 0x7f);
 	else
 	    kbd_put_keycode(keycode | 0x80);
+#ifdef QEMU_VNC_MONITOR_EXPORT
     } else if (down) {
 	int qemu_keysym = 0;
 
@@ -922,8 +925,10 @@ static void do_key_event(VncState *vs, i
 	}
 	if (qemu_keysym != 0)
 	    kbd_put_keysym(qemu_keysym);
-    }
-
+#endif
+    }
+
+#ifdef QEMU_VNC_MONITOR_EXPORT
     if (down) {
 	switch (sym) {
 	case XK_Control_L:
@@ -976,6 +981,10 @@ static void do_key_event(VncState *vs, i
 	    break;
 	}
     }
+#else
+    if (!down && sym == XK_Num_Lock)
+        vs->numlock = !vs->numlock;
+#endif
 }
 
 static void key_event(VncState *vs, int down, uint32_t sym)

--LyciRD1jyfeSSjG0
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

--LyciRD1jyfeSSjG0--