Kiosk Hacking When there is nothing else left

Mon, 07 Apr 2008 10:31:15 GMT
by pdp

I often end up breaking through the least interesting systems. If you ask AP, a password-cracking ninja and master of hacking through simplicity, the leass interesting the system is, the higher the chances to be insecure. A successful exploitation of these systems often leads to successful exploitation of the network and other adjacent systems. This post will concentrate on some theory and practicalities around what to do when penetration testing Kiosks when nothing else is left.

Why Kiosk? Kiosk are perfect for all kinds of scenarios. Everybody who has played enough with them knows that they are insecure no matter how much hardening you apply on them. They are also very much subjective to attacks because the attacker has physical access to them. This means that tampering with the keyboard or any other input/output port is very much possible.

Kiosks are uninteresting because they seem to provide very basic features and therefore they are being largely ignored from a security point of view. At the same time, they are very interesting because people use them for all kinds of mission critical stuff without thinking twice about the confidentiality and security aspects of the operations they perform. To an extend Kioasks are backdoors to the network where they reside and the domains where they are controlled from.

The traditional ways of hacking Kiosks are well documented. The basic idea is to obtain some kind of access on the system which gives you enough flexibility to do whatever that needs to be done. The traditional ways are all based around the idea of escaping the standard GUI lockout. Usually Kiosks are locked so that the user can only use features which are provided by the vendor but nothing else. Sometimes, Kiosk are not correctly locked which of course allows attackers to quickly gain access to Windows' shell by using something like File -> Open dialog or any other mechanism which allows you to open Explorer shell/frame. This includes the Help system, the Open/Save/Save As features and pretty much everything else that deals with files, explorer and iexplorer. On some Kiosks, browsing through the file system is not possible but yet you can spawn executables by using Outlook, if it is Windows based, because Outlook is usually not blocked and you can add executable attachments to emails which when double-clicked are executed. But this is not all. There are other ways someone can gain access to a Kiosk or at least gain access to the data it holds or it may hold in the future.

Files, Read, Write, Etc

Although it is much more convenient to have a command shell spawned for your own needs, sometimes this is very hard and you might not have enough time to mess around with the details which are involved in the process. Simple backdoor techniques could work very well in this case. I am not referring to installing software on the Kiosk, but rather modifying files which can provide further access to the attacker. I've seen Kiosks which are relatively locked and significantly hardened but yet they run under privileged accounts. Notepad or other types of software which allow writing to files are not blocked at all which gives us the opportunity to overwrite files. The host file is a very good target in this case. Modifying this file could potentially give the attacker access later when the system is not hardened. For example, if we substitute the IP address for the google.com domain on a hardened box which we cannot exploit, at some point in time when the box is significantly weaker we can take advantage of the fact the the google.com domain will result into a host controlled by us and therefore take over the Kiosk. Not to mention the fact that this way we will be able to sniff all sorts of goodies from the hijacked domains.

In some cases you don't have write access but you can read. In one of the tiger team operations we were involved, we broke though the Kiosk into a protected FTP server due to the fact that the Kiosk software had a VBScripts which use FTP to pull software updates. Unfortunately, the poor developers have left the FTP credentials in clear text which gave us write access to the FTP server and some other critical sections of their network. Reading files is a huge danger and unfortunately it is not very easy to block especially when the Kiosk is based on a rich operating system such as Windows or some Linux variant or even MacOS.

Java, Applets, Flash and Browser Access

Not that long time ago I've published quite useful little browser-based tool called Jython Shell. The Jython shell, although a completely legitimate programing tool, can give you some helpful features when Java is enabled on the Kiosk. The applet spawns a simple console screen which is hooked to to the Jython/Python interpreter. All necessary libraries and bindings are downloaded at runtime into a temporary folder from where they are loaded. Therefore, on a Kiosk which allows Java applets to run, we can gain access by using Python primitives and the privileges of the current user. We can spawn files/executables but also spawn sockets and do all kinds of things. It comes quite useful indeed. Other technologies such as Flash, ActiveX and SilverLight are very useful for the same purposes as well.

Active Exploitation of Vulns

Although you see fairly locked and patched Kiosks once in a while, most of them are not patched at all. On a number of cases we've found Kiosks which are running VNC with auth credentials set to "password". Some of them were even vulnerable to the VNC auth-bypass bug. They were accessible from the Internet which was a big problem. On another case we were able to exploit the browser by visiting a server which holds specific browser exploits which we thought might work. Kudos to the Metasploit team for putting the framework together.

This post is mostly a summary of some of the possibilities and scenarios that exist around hacking Kiosks. There are far too many things to consider. I will be able to put more materials on the subject soon. Keep in mind that the the main purpose of this post is to give you an idea of some of the potential ways attackers can break into a Kiosk in order to gain additional rights and access on other systems.

Archived Comments

JonasJonas
Thank you for some interesting reading. I'd love to hear more about your adventures in kiosk hacking. I've recently started looking at the possibilities of kiosk hacking, and it's kind of interesting.
hackathologyhackathology
Interesting post. I used to play around with kiosk and its pretty crappy when it comes to security.
pdppdp
there will be more kiosk hacking related blog posts released soon, some great stuff are coming soon from fellow researchers.
Awesome AnDrEwAwesome AnDrEw
Kiosks are far more popular, and widely available across European countries, right? I don't believe I have ever come across one in the U.S. as most hotels, airports, and other places I have visited either had an available Ethernet port, Wi-Fi, or service such as WebTV. I only remember using one once several years ago in a hotel in England where it cost several pounds to go online for an hour unless our definitions of kiosks are different.
MikeMike
*TRY* opening a folder in winblows and try navigating to this: %comspec%. There are other places where %comspec% works. Fun, huh?
DdDd
A few things I've found while bored in airports: Often he company who owns the site lets you browse the company's site free of charge: try to find pdf's/wmvs other files which may not open in the browser but will run a native app from which you can get an explorer frame. The about: address can be extremely useful, as anything you enter after the about will normally be echoed back onto the page. eg about:<script lang=... etc. I once found a knoppix kiosk which was slightly locked down but gave a prompt Would you like to run /bin.bash from it's current location? when the appropriate path was entered as the address bar. Yes please. U3 drives, autorun explorer/ portable cmd shell. One great, but unpredicatbale thing is when a native app pops up from behind the scene... eg would you like to update program x? Updating...done. Wanna browse around C:\ to save a log file? The other great thing about java (with .jar files) is they're not executables, so the OS might have no problem running them. Java usually gets to see all attached drives, and can be used to copy files to the temp directory or others which may be rwx.
ThomasThomas
I used to be the VP of Operations for a Kiosk hardware and software company. They did music downloading kiosks. Doing this required available USB ports for MP3 player and thumb drives. They were open and available on the outside of the machine. The company thought they were safe because there was no keyboard so you were unable to close the kiosk app and get to xp in the background. The problem was all you needed to do was plug a usb keyboard into the available usb port and you had access to over 1.5 TB of Music.
C@puNxC@puNx
Nice articles unfortunately I have tried this when I was on High school. but its quite nice as a memories
viperavipera
in response to Awesome AnDrEw yes eu has ALOT of kiosks, best thing is that 80% of them has an usb port "made for uploading pictures", but most often with a few browser commands or exploits, u can get ur own apps running without a hassel. and about webtv, some kiosks provide both "surf" and "tv" (webtv in most cases), and even if they have locked down the surf part of the kiosk, the webtv part can most often be exploited, as they forgett all the fastkey commands many of those have. ex: in germany i was stuck in a small town, needed encrypted vnc access to my box, wifi? none! kiosks, many! but never managed to break it. then i noticed the tv function. and noticed it was streaming over the internet from several "live" channels. a few key clicks and i found out what the player was and got an save prompt, the issue with that player was, the save prompt didnt only take the save file name, pipe it (|) and it would let u type in any *nix prompt commands i usually use. a few seconds later, it was running my ccvnc directly from usb without asking anything.
pdppdp
Nice one, I have a few tricks for Kiosk hacking maybe we should organize a Kiosk Hacking Challenge just like the Router Hacking one.