Attacking Internet Kiosks

8/14/2019 Attacking Internet Kiosks

1/41

Attacking Internet

Kiosks

Michael theprez98 Schearer


2/41

References

n This presentation is based upon the workof Paul Craig and his presentations

about hacking Internet kiosks atDEFCON16, ShakaCon 2009, andBruCon 2009 (www.security-assessment.com)


3/41


4/41


5/41


6/41


7/41


8/41

Internet Kiosk Hardware

n Public internet terminals found in hotels,airports, train stations, libraries, etc.

n Custom hard-shell case typically lackingphysical access to the computer

n Restricted ability for input

((Floppy/DVD/USB/FireWire)n Secured to ground

n Pay mechanism built into the kiosk


9/41

Internet Kiosk Software

n 40+ different commercial kiosk products;most are Windows-based

n Windows is made to look like a kioskterminal

n Implements standard Windows/Internet

Explorer librariesn Windows Functionality Wrapped In A

Kiosk Candy Shell


10/41

Kiosk security

n Kiosk vendors try to implement securityfeatures

n Security is also a functional requirement,and taken seriously

n Its also a selling point, secure Kiosks are

not cheap kiosks


11/41

Kiosk security model

n Kiosk software is based on a Principal of LeastPrivilege A kiosk user must ONLY have access to browse the

internet Kiosk software must prohibit all other activity

n Security implemented through two approaches: Functionality reduction by activity blacklist

n Prohibiting access to native OS functionalityn

Anything not required to browse the internet User interface security/sandboxing

n Graphically jailing a user into a kiosk interface/GUIn Kiosk software is ran in full screenn Start bar/tray menu removedn No ability to click out of, or escape the kiosk browser


12/41

Kiosk security model examples

n Browser runs in high security mode

n Keyboard driver disables special shortcuts

n Custom mouse disables right-clickn Timer monitors usage of blacklisted apps


13/41


14/41


15/41

Core security issues

n Blacklists dont work

n Websites visited from the Kiosk are not

factored into the security modeln Underlying browser technology

implements security by User

Interaction


16/41

Blacklists dont work

n 100 different ways to do anything on anyOS!

n A Kiosk blacklist must stop EVERYmethod, they dont


17/41

Windows is flexible

File:/C:/windows

File:/C:\windows\

File:/C:\windows/

File:/C:/windows

File://C:/windows

File://C:\windows/

file://C:\windows

C:/windows

C:\windows\

C:\windows

C:/windows/


18/41

Websites visited from the Kiosk are

not factored into the security modeln Kiosk rely on default browser security

policy when dealing with remote sites

n This policy was not designed for aKiosk/public environment


19/41

Browser technology implements

security by User Interactionn Browser will trust the Kiosk user

n Are you sure you want to run this?

n Dont trust what I say!


20/41

Attack vectors

n Physical input Interacting with the kiosk GUI

Using the keyboard and mouseClicking buttons, graphics, menus

Typing values into the URL bar if available

n

Remote inputRemote browser content

Input from a website


21/41

Method of attack

1.Escape the kiosk graphical jailMinimize or close the Kiosk browser

applicationPop a command shell. : taskkill /IM

KioskBrowser.exe

Enable the hidden (real) Windows Start bar

Get Back To Windows2.Download additional binaries to the kiosk

Port scanner, Metasploit, rootkit, trojan,keylogger


22/41

Physical escapes of kiosk jail

n Use the URL bar to browse the file system

n Invoke the File View control to enable

Windows Explorer capabilitiesn IE Image Toolbar

n Keyboard shortcuts (including kiosk-

specific shortcutsn Etc.


23/41


24/41

Remote escape solution?

Interactive Kiosk Attack Tooln Kiosk reconnaissancen Display local browser variablesn

Display remote server variablesn Invoke dialogs with JavaScript/HTMLn Use Flash to create Common Dialogsn Spawning applications

n Downloading files using native Windowsfunctionality


25/41


26/41

So you can imagine what

happened next


27/41


28/41

Predictably, SiteKiosk has

blocked iKAT


29/41


30/41

Solution 1: iKAT Portable

n complete copy of the iKAT website

n free of charge, no strings attached, 100%

malware freen Run your own version, host iKAT portable

and become a Kiosk wizard

n extract it to a web server capable ofserving static content


31/41

Solution 2: Change the address

n Instead ofikat.ha.cked.net, tryikat2.ha.cked.net


32/41

Success!so far


33/41

Lets play around withSiteKiosk


34/41

but

n SiteKiosk has really gone overboard todevelop security countermeasures

specific to iKATn It turns out that SiteKiosk can be exploited

You can crash SiteKiosk with vbscript, but

You still cannot run cmd.exe or access anysystem functions


35/41

(I found this out about11:30PMlast night)


36/41

Temporarily sidetracked, butdo you really think Im going to

give up? SiteKiosk isnt theonly kiosk software outthere


37/41

How about NetStopPro(to be fair, I started playing

with NetStopProabout12:15amthis morning. Justso you dont expect too

much)


38/41


39/41


40/41


41/41

Attacking Internet

Kiosks

Michael theprez98 Schearer

Attacking Internet Kiosks

Documents

Transcript of Attacking Internet Kiosks