- It turned out that VMWare hypervisor is running Tomcat to give you the admin interface - oldie (shall I read it 'unpatched') but goldie, right?
- You can do MiTM against VMWare VI Client... and as presented at the demo, that works like a charm, plus...
- ... if you can MiTM you can pwn the box - clients.xml that is served by the server contains a URL of the client .exe to be executed - boom, you can change that!
There was much more than that - also Xen and Ubuntu got their share here but the practical demo was based on VMWare.
Treat VM hosts and their apps just as another computer, another system and make sure you secure them the same way as any other system. Think of patch management and what happens when you revert to a snapshot (it may be old and unpatched so you bring back unpatched or already compromised system), think of separation of duties and access (physical and logical).