[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [oxenstored]Guest users could get the VM count and domids on the host



On Tue, Jul 12, 2016 at 4:35 AM, Sunguodong <sunguodong@xxxxxxxxxx> wrote:
> Hi all,
>
> I found a problem in oxenstored, which may be a security issue:
> Guest users could get the VM count and domids on the host by a sniffing 
> method.
>
> You can reproduce it like this:
> (1) Create a VM, e.g. CentOS 7.0 64bit
> (2) Install xen tools in VM, excute cmds:
>     yum install centos-release-xen; yum install
> (3) Use xenstore-ls to sniff, excute cmds:
>     for((i=1;i<=1000;i++));do `xenstore-ls /local/domain/$i 1>>1.txt 
> 2>>2.txt`; done
>     then check 2.txt, speculate according the error message. example:
>         xenstore-ls: xs_directory (/local/domain/17): No such file or 
> directory
>                 ---which means dom 17 does not exist
>         xenstore-ls: xs_directory (/local/domain/19): Permission denied
>                 ---which means dom 19 exists
>     Count the number of "Permission denied" and we get the VM count on the 
> host.
>
> I tried xen-4.2 and xen-4.6, same result with above.
>
> But when I use c-xenstored on xen-4.2, all error messages are "Permission 
> denied",
> so there is no way to get any info about other domains on the host.
>
> In func "get_node" of c-xenstored, it will clean up the errno before return:
>         /* Clean up errno if they weren't supposed to know. */
>         if (!node)
>                 errno = errno_from_parents(conn, name, errno, perm);
>         return node;
> but in oxenstored, there is no such code like this. So, I think this part was 
> missed
> when we upgraded c-xenstored to oxenstored.
>
> Please confirm.
>
> Looking forward to your reply, thank you!

Sundong,

Thanks for your report.  At the moment there are actually a fairly large
number of ways to discover active domain IDs through hypercalls as well.
So we will not be treating this as a critical vulnerability.

However, it's always better to make life harder for attackers, so I'm
sure a patch to change oxenstored's behavior would be welcome.
Otherwise, we'll be putting this on a list of improvements to make at
some point.

Also, for future reference, if you find what you think may be a security
vulnerability, please report it directly to the XenProject Securty Team
at security@xxxxxxxxxxxxxx -- even if you're not sure that it is a
vulnerability yet.  Part of our job is to help figure out if there
really is a vulnerability or not.

Thanks,
 - The XenProject Security Team

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.