Vigil@nce: Xen, file corruption via qemu-dm.debug
January 2009 by Vigil@nce
When the administrator uses qemu-dm.debug, a local attacker can
force a file corruption.
– Gravity: 1/4
– Consequences: data creation/edition
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: low (1/3)
– Creation date: 19/01/2009
IMPACTED PRODUCTS
– Mandriva Corporate
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The qemu-dm.debug script is provided with Xen, but is not
installed by default. It is used to start /usr/$LIBDIR/xen/bin/qemu-dm.
Parameters given to qemu-dm are saved in the /tmp/args file.
However, a local attacker can create a symbolic link pointing from
/tmp/args to a file to corrupt. This file will then be altered
during qemu-dm.debug execution.
A local attacker can therefore force the corruption of files with
rights of users of qemu-dm.debug.
CHARACTERISTICS
– Identifiers: CVE-2008-4993, MDVSA-2009:016, RHSA-2009:0003-01,
VIGILANCE-VUL-8403
– Url: http://vigilance.fr/vulnerability/Xen-file-corruption-via-qemu-dm-debug-8403