Returnil Virtual System 2008 - Password Disclosure Issue
-===[ Vulnerable ]============================================-
Product: Returnil Virtual System 2008
[+] Personal Edition 184.108.40.20611 Final
[+] Premium Edition 220.127.116.1107 Final
Found on: Tuesday May 6, 2008
Discovered by: fRoGGz [SecuBox Labs]
-===[ Background ]============================================-
The Returnil Virtual System is a powerful virtualization
technology that completely mirrors your actual computer
setup. The RVS provides an altogether different and highly
complimentary level of defense. It's designed to protect
your computer from all types of software, downloads,
websites that might harbor viruses, spyware and other
malicious programs. Returnil virtualization technology
clones a computer's System Partition and boots the PC into
this system rather than native Windows, allowing users to
run your applications in a completely isolated environment.
-===[ Description ]===========================================-
Like many software, configuration access is password protected.
RVSYSTEM.DAT is an encrypted file that contains this config.
But the problem is that the password is decrypted in a static
memory area BEFORE the user has even identified himself.
Hackers could copy the .dat file or directly grab the plaintext
password in memory at offset 0x00B0F3A9 then modify the config
(ex: add a backdoor or keylogger, ...). Of course on every
future reboot, computer will start with this evil config.
Quote: A private recovery tool have been coded for RVS.
Vendor have NOT been notified, it's a minor problem.