Monday, May 18, 2009

MiTM on VMware Server

Since a little more than year I've been researching on virtualization security, focusing on "real" issues - not the low level stuff which is unlikely to ever turn into an exploit in the real world.
Finally the company I work for rolled out a virtualization security service and people are releasing actual attacks on such infrastructures and it's time to join the party.

I'll start by releasing a very simple tool which is able to perform MITM against VMware Server Console. Isn't that trivial, you might wonder?
Well, as a matter of fact the tool is very simple and error prone: this alpha version is little more than a loop with a couple of connect which was first sketched by Snagg and which I then finished with my non-existant Python coding skills.

But, actually, there are a couple of facts which make this tool interesting.

Fact 1: VMware console will not check for the SSL certificate and won't even warn the user about a wrong certificate. Bad, very bad.

Fact 2: Most SSL MiTM tools will just fail in working with VMware Console since before the SSL connection is enstablished, an unencrypted line is sent through the socket in plaintext, effectively crashing any tool I know about.

Fact 3: The password is not actually sent in cleartext through the pipe. More on this in future posts.

You can grab the alchemic python solution here, but keep in mind that it is mightly unstable in the current version.

2 comments: