I got this idea a while back to mess around with those .ova files, you know, the virtual machine templates. Specifically, I wanted to see if I could inject some code into a virtual machine without actually firing it up. I remembered reading about the “charged horse” vulnerability, and figured, why not give it a shot? It seemed like a fun little project to tinker with.
So, first things first, I needed an .ova file to play with. I grabbed a random one from an old project I had lying around. Didn’t really matter which one, I just needed something to experiment on. Next, I did a bit of digging around on the internet to refresh my memory on how these .ova files are put together. Turns out, they’re basically just tar archives. Nothing too fancy.
Unpacking the .ova
- I used the good old tar command to unpack the .ova file. Just a simple
tar -xvf my_ova_*and boom, all the contents were laid out in front of me: a .vmdk file (the virtual disk), an .ovf file (the configuration), and an .mf file (the manifest).
Messing with the .ovf file
- The .ovf file is where the magic happens. It’s an XML file that describes the virtual machine’s settings. I opened it up in a text editor and started poking around. I figured if I could add some custom properties in there, maybe I could sneak in my code.
- I added a new property under the
<VirtualSystem>section, something like<Property ovf:key="my_custom_script" ovf:value="base64_encoded_script"/>. The idea was to store my script, encoded in base64, as a property value.
Repacking and hoping for the best
- After saving my changes to the .ovf file, I had to repack everything back into an .ova file. I figured I could just tar everything up again, but then I remembered the .mf file. It contains SHA checksums of the other files, so I had to update those too.
- I recalculated the checksums using
sha256sumfor each file and updated the .mf file accordingly. Then, I tarred everything up again withtar -cvf new_ova_*.
The moment of truth
- With my newly crafted .ova file in hand, I imported it into a virtualization software, such as vSphere Client. I didn’t start the VM just yet. I just wanted to see if it would import without any errors. And guess what? It did! It has already achieved “charged horse”.
It was a fun little experiment, and it’s pretty wild to think that you can inject code into a virtual machine just by manipulating its template file. I guess the lesson here is to always be careful where you get your .ova files from, and maybe, just maybe, don’t trust random properties in those .ovf files.
