3rd party plug-ins pose a security risk for VMware VirtualCenter

Ironically enough, the author of the first 3rd party plug-ins for the new VirtualCenter 2.5, Andrew Kutz, is also the one that has to warn about the security risks implied in using any non-VMware plug-in:

During the development of the Console plugin I had to register a message filter on the primary message loop to capture input for the SSH “terminal.” I was not sure if the VI client would allow me to do this, as the ability to so has nasty implications. Well, it does, and it does.

VMware has been informed of this flaw, and provided with a solution.

Try using the CheckForMsgFiler.exe application that comes with the KeySniffer client plugin. This application checks a given assembly and notifies the user if said assembly has any contains types that implement the IMessageFiler interface…

To proof the concept Andrew developed a malicious plug-in, KeySniffer, able to record any keystroke typed in the VirtualCenter GUI. Try it here.