|
Taking VMWare Out In Chunks Made Easy
By Dan Morrill
Expert Author
Article Date: 2008-11-24
About five years ago, I worked with VMWare, and noticed that the VMWare security model worked great when pages where called as one chunk, so if you called the vmCtxMenu.html without a login context the page would come up non-functional.
I also noticed that you could call all the scripts, tags, images, and initiation code in the VMWare software bypassing the security model of VMWare.
One would have thought that they would have fixed this, but a simple Google hack looking for the VMWare console, still allows access to all the individual chunks of VMWare scripts, tags, code snippets, pages, and other items from outside the login process.
Honestly, I would have thought they would have fixed this. However, in testing it today, they have not.
This Google hack shows what to look for
intitle:"VMware Management Interface:" inurl:"vmware/en/"
From there pull up any o fthe vmCTXMenu.html and go to source view, once there you want:
script src="../src/init.js" /script
script src="../src/xuaLib.js" /script
From there, pulling up the script files offers a lot of information that can be ripped from VMWare to see how it was set up. This bypasses the web interface login model you do not need to have a cookie set, you do not need to do anything to get access to these files other than rewrite the URL to grab each script or component of the VMWare system.
When you call the script rewrite so that the script pulls from vmware/ drop the /en/ and you can pretty much so just grab stuff.
Why this is bad, if there is ever a flaw in the script, or a security bug in the script, the script can be called remotely and if the domain trust is not set right, you can work out ways of injecting your code into the running script. (This is not easy, and would take a very good hacker to do this). It also exposes some of the methods of how VMWare works, and this is not something you want people to do on your external interface. Honestly, no one ever should be able to just march in off the internet and get to the VMWare console this is bad security.
This also can lead to other issues, if there is a way to force the password, or lock up the password login system for the host OS. Exposing the login screen also allows for testing to see if anyone changed it from the defaults. Again, not something you want to see on your external interface where anyone on the internet can get into it.
Run the Google hack; make sure that your VMWare systems are not exposed on the internet. If they are, work out a point-to-point VPN system to protect your inner systems. It is just bad security to have your Virtual Machines exposed like this, especially when people can start doing things and start mucking about in the file system of the VMWare HTTP system.
Comments
About the Author:
Dan Morrill runs Techwag, a site all about his views on social media, education, technology, and some of the more interesting things that happen on the internet. He works at CityU of Seattle as the Program Director for the Computer Science, Information Systems and Information Security educational programs.
|
|
