Vigil@nce: Xen, bypassing password via PyGrub
September 2009 by Vigil@nce
The PyGrub utility of Xen does not check if a password is required
to edit the boot configuration of Grub.
– Severity: 1/4
– Consequences: administrator access/rights
– Provenance: user console
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 28/09/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Grub program is installed on the first sector of the hard
disk, in order to start the system. The PyGrub program emulates
the behaviour of Grub for Xen.
The Grub configuration file can contain a password, which is
required to start the system.
However, when PyGrub is used, this password does not prevent a
local attacker from editing the startup menu. An attacker can for
example alter the kernel startup line, in order to start it in
single mode.
An attacker, with an access to the console, can thus obtain root
privileges on the system.
CHARACTERISTICS
– Identifiers: 525740, BID-36523, VIGILANCE-VUL-9051
– Url: http://vigilance.fr/vulnerability/Xen-bypassing-password-via-PyGrub-9051