A vulnerability has been detected in the Xen virtualisation software that can be exploited by users with root privileges in a guest domain to execute arbitrary commands in domain 0. The problem results from a bug in the tools/pygrub/src/GrubConf.py script, which reads data from the configuration of the Grub boot manager (boot/grub/grub.conf) and tries to set parameters by using the exec command without proper sanitation. During the next reboot, a manipulated configuration file may be used to pass commands to the shell via the script running in domain 0 and to trigger execution. Joris van Rantwijk has published a sample exploit in his Bugzilla entry on Xensource.com to demonstrate the vulnerability:
default "+str(0*os.system(" insert evil command here "))+"