{"@attributes":{"version":"2.0"},"channel":{"title":"Rest Api on theevilbit blog","link":"https:\/\/theevilbit.github.io\/tags\/rest-api\/","description":"Recent content in Rest Api on theevilbit blog","generator":"Hugo","language":"en","lastBuildDate":"Sun, 31 Mar 2019 00:00:00 +0000","item":{"title":"CVE-2019-5514 - VMware Fusion 11 - Guest VM RCE","link":"https:\/\/theevilbit.github.io\/posts\/vmware_fusion_11_guest_vm_rce_cve-2019-5514\/","pubDate":"Sun, 31 Mar 2019 00:00:00 +0000","guid":"https:\/\/theevilbit.github.io\/posts\/vmware_fusion_11_guest_vm_rce_cve-2019-5514\/","description":"<h2 id=\"tldr\">\n  TL;DR\n  <a class=\"heading-link\" href=\"#tldr\">\n    <i class=\"fa-solid fa-link\" aria-hidden=\"true\" title=\"Link to heading\"><\/i>\n    <span class=\"sr-only\">Link to heading<\/span>\n  <\/a>\n<\/h2>\n<p>You can run an arbitrary command on a VMware Fusion guest VM through a website without any priory knowledge. Basically VMware Fusion is starting up a websocket listening only on the localhost. You can fully control all the VMs (also create\/delete snapshots, whatever you want) through this websocket interface, including launching apps. You need to have VMware Tools installed on the guest for launching apps, but honestly who doesn\u2019t have it installed. So with creating a javascript on a website, you can interact with the undocumented API, and yes it\u2019s all unauthenticated.<\/p>"}}}