Returnil Virtual System 2008 - Password Disclosure Issue -===[ Vulnerable ]============================================- Product: Returnil Virtual System 2008 [+] Personal Edition 2.0.0.5011 Final [+] Premium Edition 2.0.0.5007 Final -=============================================================- Found on: Tuesday May 6, 2008 Discovered by: fRoGGz [SecuBox Labs] -===[ Background ]============================================- The Returnil Virtual System is a powerful virtualization technology that completely mirrors your actual computer setup. The RVS provides an altogether different and highly complimentary level of defense. It's designed to protect your computer from all types of software, downloads, websites that might harbor viruses, spyware and other malicious programs. Returnil virtualization technology clones a computer's System Partition and boots the PC into this system rather than native Windows, allowing users to run your applications in a completely isolated environment. -===[ Description ]===========================================- Like many software, configuration access is password protected. RVSYSTEM.DAT is an encrypted file that contains this config. But the problem is that the password is decrypted in a static memory area BEFORE the user has even identified himself. Hackers could copy the .dat file or directly grab the plaintext password in memory at offset 0x00B0F3A9 then modify the config (ex: add a backdoor or keylogger, ...). Of course on every future reboot, computer will start with this evil config. Quote: A private recovery tool have been coded for RVS. -=============================================================- Vendor have NOT been notified, it's a minor problem.