9/15/2023 0 Comments Vmware fusion 11 process nameChecking the VMware Fusion binary it becomes clear that you have other menus with other options. Websocket - infoleakĪfter starting reversion and following the traces what web sockets will call, and what are the other options in the code, it started to be clear that you have full access to the application menu, and you can fully control everything. Also the command will be queued until the user logs in, so even if the screen is locked we will be able to run this command once the user logged in.Īfter some experimentation I noticed that if I remove the object and vmUUID elements, the code execution still happens with the last used VM, so there is some state information saved. You need to have VMware Tools installed on the guest for this to work, but who doesn’t have it? If the VM is suspended or shutted down, VMware will nicely start it for us. The ‘problem’ with this is that you can’t leak the vmUUID and brute forcing it would be practically impossible. The vmUUID is the bios.uuid that you can find in the vmx file. In this POC you need the UUID of the VM to to start an application. If we look at the code it reveals that indeed the VMware Fusion Application Menu will start this amsrv process on port 8698, or if that is busy it will try the next available open and so on. It’s pretty nice that you have the source code available in this file, so we don’t need to do hardcore reverse engineering. If we navigate to /Applications/VMware Fusion.app/Contents/Library/VMware Fusion Applications Menu.app/Contents/Resources we can find a file called app.asar, and at the end of the file there is a node.js implementation related to this websocket that listens on port 8698. As you can control the Application Menu through the amsrv process, I think this is something like “Application Menu Service”. They seem to be related, especially because you can reach some undocumented VMware REST API calls through this port. Pid: 10935 path: /Applications/VMware Fusion.app/Contents/Library/amsrv User: 501 args: ( "/Applications/VMware Fusion.app/Contents/Library/amsrv",Ĩ698 ) 17:17:22.390 procInfoExample process start: Pid: 10936 path: /Applications/VMware Fusion.app/Contents/Library/vmrest 17:17:22.434 procInfoExample process start: When you start VMware both vmrest (VMware REST API) and amsrv will be started: I used ProcInfoExample GitHub - objective-see/ProcInfoExample: example project, utilizing Proc Info library to monitor what kind of processes are starting up, when running VMware Fusion. I would like to give him full credits for this, what I did later is just building on top of this information. What you can see here is that you can execute arbitrary commands on a guest VM through a web socket interface, which is started by amsrv process. I found the same tweet on his Weibo account (~Chinese Twitter): CodeColorist Weibo. When I searched it again, that tweet was removed. I saw a tweet a couple of weeks ago from CodeColorist on Twitter, talking about this issue - he was the one discovering it, but I didn’t have time to look into this for a while. So with creating a javascript on a website, you can interact with the undocumented API, and yes it’s all unauthenticated. You need to have VMware Tools installed on the guest for launching apps, but honestly who doesn’t have it installed. You can fully control all the VMs (also create/delete snapshots, whatever you want) through this websocket interface, including launching apps. Basically VMware Fusion is starting up a websocket listening only on the localhost. You can run an arbitrary command on a VMware Fusion guest VM through a website without any priory knowledge.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |