[libvirt] Possible security hole? unprivileged user can use virsh to overwrite sensitive system file
10:57 p.m.
I found there's a way for a unprivileged user to overwrite sensitive
system file with virsh, here's how:
1. (as an unprivileged user) start virsh and connect to the r/w socket
of libvirtd:
virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
2. start a guest, then issue 'save' or 'dump' command, giving a
sensitive system file path as the <file> parameter, for example,
'/etc/passwd';
3. the sensitive system file will be overwritten;
Attached is a test log. I'm using libvirt-0.8.7 on a OpenClient for RHEL
6.1. And latest libvirt code shows the same symptom.
BTW, virsh expands the <file> parameter in step to an absolute path if
user-provided is not, and libvirtd interprets it as a local file. IMHO
it does not look quite right, especially when the virsh-to-libvirtd
connection is remote.
--
Thanks.
Hong Xiang
1:29 a.m.
On 10/12/2011 11:57 AM, Hong Xiang wrote:
[hxiang@T420 ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Workstation release 6.1 (Santiago)
[hxiang@T420 ~]$ cat /etc/openclient-release
Open Client RHEL 64 3.10 (Gold Master)
[hxiang@T420 ~]$ libvirtd --version
libvirtd (libvirt) 0.8.7
[hxiang@T420 ~]$ virsh -V
Virsh command line tool of libvirt 0.8.7
See web site athttp://libvirt.org/
Compiled with support for:
Hypervisors: QEmu/KVM LXC ESX Test
Networking: Remote Daemon Network Bridging Netcf Nwfilter VirtualPort
Storage: Dir Disk Filesystem SCSI Multipath iSCSI LVM
Miscellaneous: SELinux Secrets Debug DTrace Readline
[hxiang@T420 ~]$ ls -l /etc/precious.*
-rw-r--r--. 1 root root 2 Oct 12 11:38 /etc/precious.1
-rw-r--r--. 1 root root 2 Oct 12 11:38 /etc/precious.2
[hxiang@T420 ~]$ virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh # start fc15
^_ _ _ it seems you're using privileged user
to login
virsh, I remembered that it should be
"virsh >" not "virsh #" when use unprivileged user, I assume you
hadn't
any modification in libvirtd.conf, in addition, for unprivileged user,
as usual, libvirt will raise the following information if you're trying
to connect hypervisor:
Tested it on libvirt-0.8.2-22.el5:
$ virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
--readonly
error: unable to connect to '/var/run/libvirt/libvirt-sock', libvirtd
may need to be started: Permission denied
error: failed to connect to the hypervisor
Tested it on libvirt-0.9.4-16.el6.x86_64:
$ virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
--readonly
error: authentication failed: authentication failed
error: failed to connect to the hypervisor
Regards,
Alex
Domain fc15 started
virsh # dump fc15 /etc/precious.1
Domain fc15 dumped to /etc/precious.1
virsh # save fc15 /etc/precious.2
Domain fc15 saved to /etc/precious.2
virsh #
[hxiang@T420 ~]$ ls -l /etc/precious.*
-rw-r--r--. 1 root root 253777159 Oct 12 11:42 /etc/precious.1
-rw-r--r--. 1 root root 257745683 Oct 12 11:42 /etc/precious.2
[hxiang@T420 ~]$
3:22 a.m.
On Wed, Oct 12, 2011 at 11:57:25AM +0800, Hong Xiang wrote:
I found there's a way for a unprivileged user to overwrite
sensitive
system file with virsh, here's how:
1. (as an unprivileged user) start virsh and connect to the r/w
socket of libvirtd:
virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
Unless you have turned off authentication, this requires you to provide
your root password via PolicyKit. Thus you can no longer be considered
an 'unprivileged' user after this point.
2. start a guest, then issue 'save' or 'dump'
command, giving a
sensitive system file path as the <file> parameter, for example,
'/etc/passwd';
3. the sensitive system file will be overwritten;
There's no security hole. If you have successfully authenticated to the
privileged libvirtd daemon over the read-write socket, then you are
considered to have a privilege level equivalent to a root shell.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10:56 p.m.
It turned out that in my environment the user 'hxiang' I was testing
with is in group 'desktop_admin_r' and PolicyKit takes all users in that
group as administrators. That's why I could connect without authentication.
Sorry for the false alarm.
On 10/12/2011 04:22 PM, Daniel P. Berrange wrote:
On Wed, Oct 12, 2011 at 11:57:25AM +0800, Hong Xiang wrote:
> I found there's a way for a unprivileged user to overwrite sensitive
> system file with virsh, here's how:
> 1. (as an unprivileged user) start virsh and connect to the r/w
> socket of libvirtd:
> virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
Unless you have turned off authentication, this requires you to provide
your root password via PolicyKit. Thus you can no longer be considered
an 'unprivileged' user after this point.
> 2. start a guest, then issue 'save' or 'dump' command, giving a
> sensitive system file path as the<file> parameter, for example,
> '/etc/passwd';
> 3. the sensitive system file will be overwritten;
There's no security hole. If you have successfully authenticated to the
privileged libvirtd daemon over the read-write socket, then you are
considered to have a privilege level equivalent to a root shell.
Regards,
Daniel
--
Thanks.
Hong Xiang
4789
days inactive
4790
days old
3 comments
3 participants
participants (3)
-
Alex Jia -
Daniel P. Berrange -
Hong Xiang