Vigil@nce - Xen: file reading via qemu-nbd
April 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the host system uses the autodetection of qemu-nbd, an
administrator located in a guest system can read files of the host
system.
– Impacted products: Fedora, Unix (platform)
– Severity: 2/4
– Creation date: 15/04/2013
DESCRIPTION OF THE VULNERABILITY
The Xen qemu-nbd (qemu-nbd-xen) command starts a daemon on the
host system. It exports an image for its guests:
qemu-nbd -c /dev/nbd0 image.img
A guest system can then mount a partition of this image:
mount /dev/nbd0p1 /mnt
By default, the qemu-nbd command autodetects the image format. An
administrator located in a guest system can therefore change the
format of this image (with "qemu-img create"), and wait for a
system restart, so the new format is detected by qemu-nbd, and
then accessible via NBD (Network Block Device).
So, if the guest administrator chooses the qcow2 format based on a
file (backing_file) such as /etc/shadow, he can read the password
file of the host system.
When the host system uses the autodetection of qemu-nbd, an
administrator located in a guest system can therefore read files
of the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-file-reading-via-qemu-nbd-12676