Enterprises often require that their IT teams have no access to data kept inside the machines they administer, a separation that is crucial for compliance, privacy and defense in depth. To this end, industries use VMWare's rich security model to separate the infrastructure domain from the guest machine domain. For example, most companies allow their IT teams to create, modify, backup and delete guest machines, but deny them guest machine operation functions such as file manipulation and console interaction.
The VMWare VIX API allows users with the required vSphere permissions to automate guest operations functions across VMWare platform products. Using VIX to interact with a virtual machine requires the administrator to go through two distinct security domains: 1) The vSphere host; 2) The guest operating system. With this two step authentication, even high vSphere permissions wouldn't necessarily allow interaction with guest machines.
VIX contains an undocumented functionality that breaks this security model, enabling a malicious user to bypass the guest domain authentication. To leverage this functionality an attacker would have to be able to modify the guest machine configuration in a way that will allow sending arbitrary commands to the guest machines and run them at root permissions. This method can be executed remotely, using an easy to use, well documented API, unlike other host-to-guest techniques which require high privileged access to the host.
In this session, we will provide real world examples of VMWare networks that are exposed to this security design flaw. We will demonstrate the ease at which an attacker can move from configuring a virtual machine to running commands with root permissions inside the guest machine. We will also showcase a tool that will allow you to test which users are capable of taking over guest machines.