Security Ripcord

As helpful as VMware is I can honestly say that it has caused me quite a bit of grief lately.  My feelings of frustration have mainly been my fault but tonight I also received a warning to update to the latest version of VMware Workstation.  And when Ed Skoudis tells you to update immediately I listen, as should you.

The problems with VMware started on Tuesday when the culmination of the SANS Hacker Techniques, Exploits & Incident Handling started.  During the last week of this SANS @Home course the whole class is given access to a virtual lab which contains a vulnerable environment for the hacking.  As it is a training situation Ed provides detailed instructions on how the students are suppose to set up their attacking systems.  I spent the better part of that night and the next night hacking with a team and individually.  I thought that I would do really well but in the end I just could not get anything to work correctly. 

The problems I experienced were mainly focused around the Microsoft Windows systems.  With Windows networking protocols enabled exploiting these systems should have been straight forward and, actually, simple.  But no matter what I tried I could not effectively run tools, utilize services, or even mount drives and transfer files.  Basically, everything I did that touched the Windows box had an Input/Output error.  Every file I tried to transfer prompted me with an error message but, strangely enough, sometimes the file would make it and sometimes it would just write the file name without any content.  Additionally, because of the error messages most of the tools I used would not run correctly or could not complete a connection.  PwDump3 and 6 were useless.  Metasploit RPC based attacks immediately failed.  And, to put the icing on the cake, I received a Blue Screen of Death due to PFN_LIST_CORRUPT which, I believe, corrupted one of the VMware related drivers which lead to more BSoDs.  I am just guessing that the BSoDs were related to VMware because the more network activity and memory usage the quicker the system crashed.

As I mentioned, however, most of this was my fault.  This situation came to fruition because I did not follow directions and ensure that all pentesting systems were configured so that their virtual interfaces operated in Bridge mode.  Bridge mode is preferable to NAT due to the fact that once the NAT tables are full the interfaces start dropping packets.  Running NMap, Nessus, Metasploit, and a number of other assessment tools will ensure that all resources are quickly gobbled up.  After four or five hours of banging my head and cussing the environment it finally dawned on me that my interfaces were NATed.  A quick change and I completed everything I was working on in about 10 minutes (not the whole lab, just a portion).

This is where VMware security comes in.  Most people know that Ed and his crew at InGuardians are working on virtual machine escape.  Virtual machine escape is when the guest operating system is compromised and the host operating system is owned without any type of user-based interaction between the guest and host.  So I was very surprised when I came I came in on the end of a conversation that Ed summed up with, “So you need to update to the lastest release of VMware Workstation 5.5.4 immediately.”  Of course he could have been talking about the “VMware Multiple Denial Of Service Vulnerabilities” or the “VMware Workstation Shared Folders Directory Traversal Vulnerability” which have been release this month.  But, as I did not get clarification I think I will not hesitate to get the most recent version of VMware Workstation and perform a little preventive maintenance.

Actually, I just completed the update and installed the latest version of VMware tools and I can tell you I already like the new version of Workstation.  Before my interfaces were stuck at 10 Mbps.  Now the operate at 1Gbps.  FULL SPEED AHEAD.

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, Ed Skoudis, VMware, bridge mode, NAT, InGuardians, SANS, GCIH

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.