So this is a *really* old blog post that I wrote a while back when I discovered, or at least so I believed, an XXE bug in the VMware vSphere client. I reported this to the VMware security team but they were not able to reproduce the part where you would use a UNC path to try and steal the credentials of an user. I then got busy and never continued to investigate why they were not able to reproduce it. Since the vSphere client is being replaced by a web client I decided it couldn’t hurt to release this old post, also the likely hood of this being exploited is pretty low.
Curiosity (from Latincuriosus “careful, diligent, curious,” akin to cura “care”) is a quality related to inquisitive thinking such as exploration, investigation, and learning, evident by observation in human and many animal species. (Wikipedia)
As always a driving force behind many discoveries, as well as the recent bug I found in the VMware vSphere client (vvc). Not a very interesting bug, yet a fun journey to approach things from a different perspective. After my last post about a portable virtual lab I wondered what the vvc used as a protocol to communicate with the esxi server and if it could contain any bugs. So this time instead of getting out ollydbg I decided to go for a more high-level approach. Let’s see how I poked around and found the XML External Entity (XXE) (pdf) vulnerability in the vvc.
I first looked in the directory of vvc, just to know the type of files that resided there, here is a screenshot:
Logically the file that drew my attention was the config file of which the following settings also seemed like they would come in handy:
Seems like if we want to tinker with the connection a higher time-out would give us more time and a higher verbosity level of logging could help us during the poking around. Enough looking around at this point let’s get more active.
Continue reading “[old] VMware vSphere client XML External Entity attack”
I’ve always wanted like online ‘memo-to-self’ stuff to stop forgetting how to set things up, so I’ve decided to create a category for it. These posts will contain rambling, snippets and links on how to do stuff. Mostly intended for my own use so they won’t contain extensive instructions on every configuration detail.
I’ve always wanted a virtual lab which is easy to bring along and somewhat secure. Just to be clear here are some definitions of the words portable & secure as I see them:
- easy to transfer
- minimum amount of files
- easy to encrypt
- easy to delete
- network segmentation
- central firewall
Secure is a relative term, since it all depends on how much you harden the setup. To achieve the above mentioned points I’ve chosen to use vmware workstation and vmware esxi as the virtualization software. If you ever decide to spend money on software, vmware workstation surely deserves it!
Since this post is partially a little idea on creating a portable lab and partially a reminder for myself, I’ll take a shortcut in explaining how to set it up. Like you all know the internet is full of really nice guides on how to set stuff up, so why duplicate?
Continue reading “Portable (secure) (pen)test virtual lab”
So I took on a new challenge, understanding how to develop your own Master Boot Record (MBR). So how do you start to develop your own bootloader? The first answer that came into mind was the setup of a development environment. No development environment , no bootloader. Actually that’s my thought on every new coding project I undertake. In this blog post I’m going to explain the steps I went through and why I finally choose for a somewhat rather basic development environment. Anyways let’s get started.
p.s. Happy New Year
p.s.2. HACK THE PLANET!!!
Continue reading “Bootloader Development Environment”
Well that’s been a while. I almost forgot my WordPress password. My last post wasn’t really informative so I thought let me just post one of the projects I’m currently working on. It’s far from finished and I doubt if I’ll release it once it’s finished. So for the moment being I’ll only share my alpha POC which should be enough to build upon.
Have you ever had the need to get stuff of vmdk files without using any of the visual VMWARE products? Well I have!! Now luckily VMWARE also has detected that there are a lot of people with that need and they have released an excellent API the Virtual Disk Development Kit 1.1. Now that stuff is sexy, quote from it’s website:
The Virtual Disk Development Kit (VDDK) is a collection of C libraries, code samples, utilities, and documentation to help you create or access VMware virtual disk storage. The kit includes:
- The Virtual Disk and Disk Mount libraries, a set of C function calls to manipulate virtual disk files.
- C++ code samples that you can build with either Visual Studio or the GNU C compiler.
- The Disk Mount utility to access files and file systems in offline virtual disks on Windows or Linux guest virtual machines.
- Documentation about the VDDK libraries and the command-line utilities.
- The Virtual Disk Manager utility to manipulate offline virtual disk on Windows or Linux (clone, create, relocate, rename, grow, shrink, or defragment).
I assume that after reading the above you’ll also agree that the possibilities are endless. Now let’s get cooking.
Continue reading “Stealing stuff from vmdk files”