Xen Security Advisory 198 (CVE-2016-9379, CVE-2016-9380) - delimiter injection vulnerabilities in pygrub

Xen Security Advisory 198 (CVE-2016-9379, CVE-2016-9380) - delimiter injection vulnerabilities in pygrub

[Xen.org security team]

[-- Attachment #1: Type: text/plain, Size: 4816 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

     Xen Security Advisory CVE-2016-9379,CVE-2016-9380 / XSA-198
                              version 3

             delimiter injection vulnerabilities in pygrub

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

pygrub, the boot loader emulator, fails to quote (or sanity check) its
results when reporting them to its caller.

pygrub supports a number of output formats.  When the S-expression
output format is requested, putting string quotes and S-expressions in
the bootloader configuration file can produce incorrect output.
(CVE-2016-9379)

When the nul-delimited output format is requested, nul bytes in the
bootloader configuration file can produce an ambiguous or confusing
output file, which is interpreted by libxl in a vulnerable way.
(CVE-2016-9380)

The existing bootloader config interpreters all read input in a
line-based way from their bootloaders, and none of them support any
kind of escaping.  So the newline-delimited output format is safe.

The attacker can use this to cause the toolstack to treat any file
accessible to the toolstack as if it were the guest's initial ramdisk
file.  The file contents are provided to the guest kernel; also,
normally, these files are deleted by the toolstack as the guest starts
to boot; alternatively they may be deleted later.

IMPACT
======

A malicious guest administrator can obtain the contents of sensitive
host files (an information leak).

Additionally, a malicious guest administrator can cause files on the
host to be removed, causing a denial of service.  In some unusual host
configurations, ability to remove certain files may be useable for
privilege escalation.


VULNERABLE SYSTEMS
==================

Xen versions 2.0 and later are vulnerable.

The vulnerability is only exposed to guests configured by the host
administrator to boot using pygrub.  In the xl and xm domain
configuration file, this is typically achieved with
   bootloader="pygrub"
On x86 this would typically apply only to PV domains.

All systems using xl, libxl, or libvirt are vulnerable to pygrub-using
guests.

Systems using other (third-party) toolstacks may or may not be
vulnerable, depending on whether pygrub is configured, and what pygrub
output format they use.  Please consult your toolstack provider.


MITIGATION
==========

Configuring guests not to use pygrub will avoid the vulnerability.

For x86 PV guests currently using pygrub, booting the guest as HVM
is often a practical option to avoid pygrub.


CREDITS
=======

This issue was discovered by Daniel Richman and Gábor Szarka of
the Cambridge University Student-Run Computing Facility.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa198.patch           All Xen versions (at least Xen 4.4 and later)

$ sha256sum xsa198*
0e4533ad2157c03ab309bd12a54f5ff325f03edbe97f23c60a16a3f378c75eae  xsa198.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patch described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


Deployment of the mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because switching away from the use of pygrub would reveal
where the vulnerability lies.

Deployment of mitigations is permitted only AFTER the embargo ends.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYNDN4AAoJEIP+FMlX6CvZX8AH/1FL3pw4RbbuFd/b23Qmo25U
F7qELx001C4C+uXtlxaIg6MT467pRphihSkLcLQ2vgIp57iVTXhufc4TVqhdADgp
bL3h1zd7Ot4f+iA5RYlGIJ4is3I2A6lNvLwydi2PIGgmalSad5B3Ed0vrvRwfLKY
qpsVm0LrM24aFX2IaygmmziQIQVeXSYpmKmVebOEAFL0uj9g8D3VhgWIMtZxW+9K
A6c2NTrt01ZbsVRx2wTcRdRhEJLeFbBZOPS9RrbjJzbuFcAzsGR8m/pS4hJBhik/
9MG4b7FBMYZTaBd4wcbbHM81py1KkcoreC2jL1qb1JMG7BQVP1USdz21rJ05DY8=
=P2XT
-----END PGP SIGNATURE-----

[-- Attachment #2: xsa198.patch --]
[-- Type: application/octet-stream, Size: 2189 bytes --]

From 71a389ae940bc52bf897a6e5becd73fd8ede94c5 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Thu, 3 Nov 2016 16:37:40 +0000
Subject: [PATCH] pygrub: Properly quote results, when returning them to the
 caller:

* When the caller wants sexpr output, use `repr()'
  This is what Xend expects.

  The returned S-expressions are now escaped and quoted by Python,
  generally using '...'.  Previously kernel and ramdisk were unquoted
  and args was quoted with "..." but without proper escaping.  This
  change may break toolstacks which do not properly dequote the
  returned S-expressions.

* When the caller wants "simple" output, crash if the delimiter is
  contained in the returned value.

  With --output-format=simple it does not seem like this could ever
  happen, because the bootloader config parsers all take line-based
  input from the various bootloader config files.

  With --output-format=simple0, this can happen if the bootloader
  config file contains nul bytes.

This is XSA-198.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
 tools/pygrub/src/pygrub | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub
index 40f9584..dd0c8f7 100755
--- a/tools/pygrub/src/pygrub
+++ b/tools/pygrub/src/pygrub
@@ -721,14 +721,17 @@ def sniff_netware(fs, cfg):
     return cfg
 
 def format_sxp(kernel, ramdisk, args):
-    s = "linux (kernel %s)" % kernel
+    s = "linux (kernel %s)" % repr(kernel)
     if ramdisk:
-        s += "(ramdisk %s)" % ramdisk
+        s += "(ramdisk %s)" % repr(ramdisk)
     if args:
-        s += "(args \"%s\")" % args
+        s += "(args %s)" % repr(args)
     return s
                 
 def format_simple(kernel, ramdisk, args, sep):
+    for check in (kernel, ramdisk, args):
+        if check is not None and sep in check:
+            raise RuntimeError, "simple format cannot represent delimiter-containing value"
     s = ("kernel %s" % kernel) + sep
     if ramdisk:
         s += ("ramdisk %s" % ramdisk) + sep
-- 
2.1.4


[-- Attachment #3: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel