Hacking Internet Kiosk`s

Transcription

Hacking Internet Kiosk`s
Hacking Internet Kiosk’s
Paul Craig
Principal Security Consultant
S
Security-Assessment.com
it A
t
Bio
ƒ Who am I?
ƒ Paul
P l Craig
C i
ƒ Principal Security Consultant.
Security-Assessment.com, Auckland, New Zealand
ƒ Published Security Author.
Author
ƒ Active Security Researcher.
ƒ Devoted Hacker.
Hacker
ƒ Comments, Feedback?
ƒ Email: [email protected]
ƒ Website: http://ha.cked.net
p //
Overview
ƒ Hacking Kiosks:
ƒ What is an Internet Kiosk.
Kiosk
ƒ Kiosk Software Security Model.
ƒ Vulnerabilities in Kiosk Software.
ƒ Vulnerabilities in the Kiosk Security Model.
“Hack any Windows Kiosk in less than 120 seconds!”
ƒ Tool Release.
ƒ Live Demo’s: Hacking (Two) Commercial Internet Kiosks.
ƒ More 0day than you can shake a stick at.
What Is An Internet Kiosk
ƒ Last Year I Was Sitting in an Airport….
ƒ 8 hour stop-over in Hong Kong.
Kong
ƒ Queue of people waiting to use a hub of Internet Kiosks.
ƒ “Damn, those kiosks sure are popular…”
ƒ “I
“ wonder
d if I could
ld h
hack
k iit?.””
ƒ Kiosks are ppopular,
p
, and rarelyy appear
pp
in securityy publications.
p
ƒ Popularity + Poor Security Visibility = Good Attack Target
ƒ Personal Objective:
ƒ Find every possible method of hacking Internet Kiosk terminals.
ƒ Become the King of Internet Kiosk Hacking!
What Is An Internet Kiosk
ƒ Kiosks are everywhere
ƒ Airports,
Airports Train stations,
stations Libraries
Libraries, DVD Rental Stores
Stores, Corporate
Building Lobbies, Convenience Stores, Post Office, Café’s,
Hospitals, Motels, Hotels, Universities.
ƒ Cheap technology has made Internet Kiosks very common.
What Is An Internet Kiosk
ƒ Initial Observations of Kiosks
ƒ Hardware.
ƒ Kiosks
Ki k b
built
ilt in
i tough
t
h hard-shell
h d h ll cases.
ƒ Fibreglass, Steel, Thick MDF.
ƒ Lack of physical access to the underlying computer.
ƒ Input devices inaccessible (Floppy/DVD/USB/FireWire)
ƒ Kiosk bolted to the ground (padlocked).
ƒ General public are not trusted
trusted.
ƒ Kiosks are designed to prevent physical theft or malicious use.
What Is An Internet Kiosk
ƒ Software.
ƒ Majority of Kiosks run commercial Windows Kiosk software
software.
ƒ Linux/BSD Kiosks exist, Windows more popular.
ƒ 44 commercial Windows Kiosk products in the market.
ƒ Marketed as : “Turn that old PC into instant revenue!”
ƒ Buy $59.99 Shareware -> Install -> Instant Kiosk!
ƒ Kioskk Software
f
Essentially
ll Skins
k
Windows:
d
ƒ Kiosk browsers based on standard Internet Explorer libraries.
ƒ WINHTTP.DLL/MSINET.OCX
ƒ Its Windows and Internet Explorer, highly customized.
What Is An Internet Kiosk
ƒ “Kiosk Software Is The Best Attack Target.”
ƒ Hardware hacking is too obtrusive for public locations.
locations
ƒ “I Need to Walk up to Any Internet Kiosk and Pop Shell, Quickly.”
ƒ Explorer.exe, cmd.exe, command.com.
ƒ Time limited, 2 minutes or faster.
ƒ 16 Months of Kiosk Software Penetration Testing Later….
ƒ Virtualized
Vi t li d ten
t off th
the mostt popular
l Windows
Wi d
Kiosk
Ki k platforms.
l tf
ƒ Researched methods of compromising each Kiosk.
ƒ Developed Kiosk Attack Methodology.
ƒ Startling Results: 100% success rate!
Kiosk Security Model
Kiosk Securityy Model
ƒ Kiosk Software Implement Security in Two Approaches.
ƒ #1 - Reduce Available Host Functionality.
ƒ Disallow native OS functionality that can be used maliciously.
ƒ “Command Prompt has been Disabled”
ƒ “File Downloads Have Been Disabled”
ƒ Implemented through native ACL’s.
ƒ #2 – Graphically
G hi ll Jailed
J il d Into
I t a ‘Secure
‘S
Kiosk
Ki k Browser’.
B
’
ƒ Kiosk users are stuck inside a Kiosk browser.
ƒ Kiosk browser ran in full screen, no ability to close, minimize.
ƒ Start Bar/Tray Menu removed or hidden.
ƒ Only thing you can do is browse the web.
Kiosk Securityy Model
ƒ Example #1: Site Kiosk.
ƒ Looks similar to Windows
Windows.
ƒ Custom Tray Menu/Task Bar.
ƒ Only
O l one option,
ti
‘New
‘N
Window’
Wi d ’
ƒ Real Windows ‘Start’ bar is hidden from view.
ƒ Trapped inside the Kiosk browser.
Kiosk Securityy Model
ƒ Example #2: NetStop Kiosk
ƒ Custom task bar.
bar
ƒ Kiosk application ran as a full screen desktop.
ƒ No
N ability
bilit tto close
l
th
the browser.
b
ƒ Only permits internet browsing.
Kiosk Securityy Model
ƒ Kiosk Browsers Proactively Monitor Your Activity.
ƒ Kiosks contain multiple blacklists of prohibited activity.
ƒ Try to do something sneaky, the Kiosk will stop you.
ƒ Try to Browse C:\ with the Kiosk browser:
ƒ Blacklist in
in-focus
focus Modal Dialogs.
Dialogs
ƒ Block dialogs by Window Title or Window Class.
ƒ “Save
“S
Fil
File A
As”,
” “O
“Open With”
With”, “Confirm
“C fi
Fil
File D
Delete”,
l t ” “P
“Print”.
i t”
ƒ WM_CLOSE Window message sent to the blacklisted dialog.
ƒ Dialog closes.
Kiosk Securityy Model
ƒ API Hooking.
ƒ Hook native OS API calls which can be used maliciously
maliciously.
ƒ KillProcess(), GetCommandLineW(), AllocConsole()
ƒ “Unauthorized
Unauthorized Functionality Detected
Detected, Process Killed”
Killed .
ƒ Kiosk Browser ran in ‘High Security Zone’
ƒ File downloads disabled.
ƒ Browser scripting, pop-ups, ActiveX, all disabled.
ƒ Watchdog Timer.
ƒ Every
E
5 minutes
i
the
h Kiosk
Ki k will
ill enumerate allll active
i processes.
ƒ Terminate any unauthorized activity.
Kiosk Securityy Model
ƒ Custom Keyboard Driver.
ƒ Disable Windows shortcut key combinations.
combinations
CTRL-SHIFT-ESC (Task Mgr)
ALT-TAB (Switch Task)
CTRL-ALT-DELETE (Task Mgr)
CTRL-ESC (Start Menu)
ƒ Modifier Keys Unmapped
Unmapped.
Alt F4 (Close Application)
Alt-F4
ƒ CTRL, Tab, ALT, ‘Start’, Function, F1-F12.
ƒ Custom Keyboard with missing modifier keys!
ƒ Custom Mouse.
ƒ No
N right
i h click
li k button.
b
ƒ All Methods of reducing
g functionality!
y
Hacking
Ki k Software
Kiosk
S ft
Hacking
g Kiosk Software
ƒ Kiosk Security Model is Based on Reducing Functionality.
ƒ Limit functionality which can be used to escape the Kiosk browser.
ƒ Exploiting A Kiosk Requires Invoking Functionality
Functionality.
ƒ Cause applications/functionality to spawn, popup on screen.
ƒ Use
U the
th invoked
i
k d functionality
f
ti
lit to
t escape the
th Kiosk
Ki k jail.
j il
ƒ Spawn a command prompt, get back to Windows.
ƒ Kiosk Security Is Implemented Through Blacklists.
ƒ Blacklists (by nature) are never 100%.
ƒ We only need one method of escaping the software jail.
Hacking
g Kiosk Software
ƒ Lets Say You Find a Kiosk in Your Local Mall.
ƒ ‘10RM
10RM for 1 hour of internet usage
usage’
ƒ Insert money.
ƒ You Find You are Trapped Inside a Kiosk Browser.
ƒ Only one visible button to ‘Start Browsing’
ƒ Start Browsing…
Hacking
g Kiosk Software
ƒ Browse The Local File System Using The Kiosk Browser.
ƒ Local Windows users are capable of browsing the file-system
file system.
ƒ Kiosk software must explicitly block local browsing attempts.
ƒ Windows Is Designed For Idiots.
ƒ Caters for mistypes/fat-fingers.
yp /
g
ƒ C:\windows\ maybe blocked.
File:/C:/windows
File:/C:\windows\
File:/C:\windows/ File:/C:/windows
File://C:/windows
File://C:\windows/
file://C:\windows
C:/windows
C:\windows\
C:\windows
C:/windows/
C:/windows\
%WINDIR%
%TMP%
%TEMP%
%SYSTEMDRIVE%
%SYSTEMROOT%
%APPDATA%
%HOMEDRIVE%
%HOMESHARE%
ƒ Blacklists
Bl kli t start
t t ffailing
ili about
b t now.
Hacking
g Kiosk Software
ƒ Using Common Dialogs To Hack Kiosks.
ƒ Windows contains ‘Common
Common Dialogs’
Dialogs libraries.
libraries
ƒ Saving a file, opening a file, selecting font, choosing a colour.
ƒ COMDLG32.DLL
COMDLG32 DLL (Common Windows Dialogs Library).
Library)
ƒ COMDLG32.DLL Implements Common Windows Controls.
ƒ From COMCTL32.DLL (Common
(
Windows
d
Controls
l Library)
b
)
ƒ File/Open, File/Save Dialog’s Contain ‘File View’ Controls.
ƒ File view control provides full Explorer functionality.
ƒ Same control that Windows Explorer uses.
ƒ File-Open Dialog = Explorer
ƒ Can be used to launch processes.
Hacking
g Kiosk Software
ƒ Systematically Click Every Button, Graphic, Icon In The Kiosk
ƒ Can we invoke a File - Open Dialog? “Attach
Attach File
File”
ƒ Browse the file system
ƒ Right Click cmd.exe:
cmd exe: Open / Run As
ƒ Spawn cmd.exe
Hacking
g Kiosk Software
ƒ Internet Explorer ‘Image Toolbar’.
ƒ Toolbar hovers top-left of a large image when clicked.
clicked
ƒ Each icon of this toolbar can invoke a Common Dialog.
ƒ File/Save.
Fil /S
ƒ File/Print.
ƒ File/Mailto.
ƒ Open “My Pictures” in Explorer.
ƒ Toolbar is present if the Kiosk uses Internet Explorer libraries.
ƒ Click a large image on screen
ƒ Spawn a Common Dialog, spawn Explorer.
Hacking
g Kiosk Software
ƒ Using the Keyboard.
ƒ Keyboard shortcuts can be used to access the host OS
OS.
ƒ Check if a custom keyboard driver present?
ƒ Are
A modifier
difi keys
k
enabled?
bl d?
ƒ Keyboard Combinations Which Produce Common Dialogs.
CTRL-B, CTRL-I (Favourites)
CTRL-H (History)
CTRL L CTL-0
CTRL-L,
CTL 0 – (File/Open Dialog)
CTRL-P – (Print Dialog)
CTRL-S – ((Save As))
ƒ Kiosk Specific ‘Administrative’ shortcuts.
ƒ All Kiosk pproducts contain a hidden Administrative menu.
ƒ Mash the keyboard, CTRL-ALT-F8? CTRL-ESC-F9?
Hacking
g Kiosk Software
ƒ Browser Security Zones
ƒ Browser security model incorporates multiple security zones:
Restricted Sites
Internet Zone
Intranet Zone
Trusted Sites
ƒ Each security zone adheres to a different security policy.
ƒ Internet zone has less ability to interact with a host.
host
ƒ Trusted Sites, Intranet Zone typically have more access.
Hacking
g Kiosk Software
ƒ Local Users Can Access All Available Security Zones.
ƒ URL
URL’ss must be directly typed into the URL entry bar
bar.
ƒ Security Zone Escalation. about: pluggable-protocol handler.
ƒ About handler belongs to the ‘Trusted Sites’ security zone.
ƒ Suffers from a Cross Site Scripting vulnerability.
ƒ Local users can render arbitrary content within a trusted zone.
ƒ Spawn a File Open Common Dialog from a trusted security zone
zone.
about:<input%20type=file>
about:<a%20href=C:\windows\>Click-Here</a>
b
%20h f C \ i d
\ Cli k H
/
ƒ Internet zone cannot follow links to the file system.
y
ƒ Trusted sites can.
Hacking
g Kiosk Software
ƒ Shell Protocol Handler.
ƒ Shell handler provides access to Windows web folders
folders.
ƒ Type Into the URI Bar:
ƒ Shell:Profile
ƒ Shell:ProgramFiles
ƒ Shell:System
ƒ Shell:ControlPanelFolder
ƒ Shell:Windows
ƒ Each
E h URL will
ill spawn explorer.exe
l
and
d browse
b
the
h web
b folder.
f ld
ƒ Is the shell: handler blocked by the Kiosk?
Hacking
g Kiosk Software
ƒ How About This:
ƒ shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}
shell:::{21EC2020 3AEA 1069 A2DD 08002B30309D}
ƒ Invoke the Windows Control Panel by ClassID.
ƒ Works
W k from
f
common Internet
I t
tE
Explorer
l
lib
libraries.
i
ƒ Bypass native ACL’s that may exist on control.exe
Hacking
g Kiosk Software
ƒ The Downside to Physical Input Vectors.
ƒ Kiosk software is designed to not trust the guy on the keyboard
keyboard.
ƒ Kiosk User = Most Obvious Security Threat.
ƒ My research concluded that physical inputs are not so successful.
successful
ƒ 40-50% chance of popping shell.
ƒ Many
M
techniques
t h i
are already
l d published,
bli h d unoriginal.
i i l
ƒ A Subtle Discovery…
ƒ Remote websites not factored into the Kiosk security model.
ƒ Websites are trusted MORE than a local Kiosk user!
ƒ Kiosks rely on the default web browser security model.
model
Hacking
g Kiosk Software
ƒ “I Need a Kiosk Hacking Website.”
ƒ An online tool you can visit from an Internet Kiosk terminal.
terminal
ƒ Provide all the content you will ever need to escape a Kiosk jail.
ƒ iKAT – Interactive Kiosk Attack Tool.
ƒ First of its kind! New method of hackingg Internet Kiosks!
ƒ Fast! iKAT can pop shell in less than 30 seconds.
ƒ 95
95-100%
100% success rate!
ƒ http://ikat.ha.cked.net
Hacking
g Kiosk Software
ƒ What Can iKAT Do?
ƒ Kiosk Reconnaissance : Detect Installed Applications
ƒ JavaScript & res:// (resource) protocol handler.
ƒ Extract bitmap resources from PE executables
executables.
ƒ Verify bitmap presence and detect installed applications.
ƒ Detects all common commercial Kiosk platforms.
ƒ Enumerates locallyy installed applications.
pp
Hacking
g Kiosk Software
ƒ Display Local Browser Variables.
ƒ Determine underlying Kiosk browser technology.
technology
ƒ MSINET.OCX, WINHTTP.DLL display Internet Explorer appVersion
ƒ Detect the presence of .NET
NET CLR
CLR.
ƒ Display Remote Server Variables
ƒ Discover remote IP address of the Kiosk terminal.
Hacking
g Kiosk Software
ƒ All Common Browser Dialogs In One Place
ƒ File Open, Save As, Print, Print Preview:
ƒ Click down the list and determine what dialogs are blocked.
ƒ Use the File View control within the dialogs.
Hacking
g Kiosk Software
ƒ Use Flash To Invoke Common Dialogs.
ƒ Adobe Flash is the most widely used browser plug
plug-in
in.
ƒ ActionScript 3 can invoke three unique File View dialogs.
ƒ ‘Select
Select File For Upload’
Upload
ƒ ‘Select File(s) For Upload’
ƒ ‘Select
‘S l t location
l
ti for
f Download
D
l d by
b ikat.ha.cked.net’
ik t h k d t’
ƒ Flash Common Dialogs have Unique Dialog Titles
ƒ Not standard “Choose File”
ƒ Bypass
ypa dialog
d a og Window
do title blacklists.
ba
ƒ Still contains the File View control.
ƒ Blacklists fail (again).
Hacking
g Kiosk Software
ƒ Spawning Applications On The Kiosk.
ƒ Can we cause an application/process to spawn on the Kiosk.
Kiosk
ƒ Does the spawned application contains a common dialog?
ƒ Use the application to gain additional access to the Kiosk.
Kiosk
ƒ iKAT Invokes Default Windows URI Handlers.
ƒ URI handler applications are spawned for each URI.
ƒ Callto://,
//, Gopher://,
p
//, HCP://,
//, Telnet://,
//, TN3270://,
//, Rlogin://,
g //,
LDAP://, News://, Mailto://
ƒ One Click Automation: One click spawns all default handlers.
ƒ 3rd party URI Handlers
ƒ MMS://,
MMS:// SKYPE://
SKYPE://, SIP://
SIP://, Play://
Play://, Steam://
Steam://, Quicktime://
Hacking
g Kiosk Software
ƒ Example: HCP://: Help And Support Center
ƒ <a href
href=HCP://dummy>
HCP://dummy> Click
Click-me
me </a>
ƒ Search HCP for what you want to launch “Command Prompt”
ƒ “Using
Using Command Prompt
Prompt” provides link to spawn cmd.exe
cmd exe
ƒ Left Click Only!
Hacking
g Kiosk Software
ƒ iKAT Provides Links to Over 100 URI Handlers.
ƒ Click,
Click click,
click click down the list.
list
ƒ Determine which handlers are covered by the Kiosk blacklist.
ƒ Use invoked handler application to escape the Kiosk.
Kiosk
ƒ iKAT Contains Local Security Zone Handlers
ƒ about:, res:, shell:
ƒ Lists of URL’s to type in.
ƒ Remembering ClassID’s is hard.
Hacking
g Kiosk Software
ƒ Invoke Applications Using File Type Handlers.
ƒ Click on test.myfile,
test myfile Windows will spawn the ‘myfile’
myfile handler.
handler
ƒ iKAT uses DHTML/JavaScript to invoke 108 unique file handlers.
ƒ Internet Explorer supports prompt-less handler execution.
ƒ Example: Click test.wmv, Windows Media Player Spawns.
ƒ No Prompt “Are you sure you want to…”.
ƒ Kiosk blacklists monitor in focus dialogs for warning prompts.
Hacking
g Kiosk Software
ƒ iKAT & Windows Media Files.
ƒ WMPlayer will silently launch for multiple file types.
types
ƒ Windows Media Playlist Files (.ASX)
ƒ Supports
S
t ‘W
‘Web
bE
Enhanced
h
d Content’.
C t t’
ƒ Turn Windows Media Player
y into a web browser!
ƒ Provides a browser without any Kiosk security controls.
Hacking
g Kiosk Software
ƒ iKAT & Office Documents.
ƒ If an Office file viewer is installed on the Kiosk,
Kiosk we win.
win
ƒ Embed a copy of cmd.exe within an office document.
ƒ Supported by .DOC,.DOCX,.XLS,.XLSB,.XLSM,XLSX
DOC DOCX XLS XLSB XLSM XLSX
ƒ ‘Open Package Contents’ dialog not detected by any Kiosk.
ƒ iKAT will spawn the most useful file possible.
Hacking
g Kiosk Software
ƒ iKAT & Java Applets:
ƒ Signed Java applets can execute local processes.
processes
ƒ Detect if JRE is installed (iKAT Kiosk Reconnaissance).
ƒ Does the Kiosk detect the Java security warning prompt?
ƒ “Warning – Security”
ƒ 0% off tested
t t d Ki
Kiosks
k did.
did
ƒ iKAT Contains
o a
Signed
g d Kiosk
o Specific
p
Java
a a Applets.
pp
ƒ Signed applets to spawn command shells.
ƒ Includes Jython by GNUCITIZEN.
GNUCITIZEN
Hacking
g Kiosk Software
ƒ Install a Malicious ActiveX
ƒ Safe for scripting ActiveX’s
ActiveX s can be used to compromise a Kiosk
Kiosk.
ƒ Unsafe method: object.execute(‘cmd.exe’);
ƒ Can we install a malicious ActiveX on the Kiosk?
ƒ iKAT ActiveX
ƒ Safe-for-scripting ActiveX which executes arbitrary executables.
ƒ Installingg an ActiveX requires
q
administrative authority.
y
ƒ iKAT ActiveX gives you the ability to spawn a shell.
ƒ ActiveX is changing:
ƒ IE8 will not require admin rights for installing a new ActiveX.
ActiveX
Hacking
g Kiosk Software
ƒ iKAT & ClickOnce Applications
ƒ ClickOnce is .NET
NET 2.0+
2 0+ technology (.NET
( NET CLR 2+ required)
ƒ ‘Online Application Deployment’ .application file handler.
ƒ Unsigned ClickOnce applications execute with full trust!
ƒ Admin privileges are not required!
ƒ Users are warned:
ƒ All tested Kiosks fail to detect this warning message!
ƒ Modern Kiosks now developed in .NET (CLR is present!)
Hacking
g Kiosk Software
ƒ The most useful ClickOnce applications for Kiosk Hacking?
ƒ Embedded Web Browser.
ƒ HTTP browser with reduced security settings.
ƒ Application Executor.
ƒ Spawn arbitrary executables
executables.
ƒ Access Token Pincher.
ƒ Access token hijacking is a hip subject, why not!
ƒ Does the Kiosk user have the SeImpersonate privilege?
ƒ Impersonate available (privileged) tokens.
ƒ Spa
Spawn ccmd.exe
de eu
under
de the
t e co
context
te t o
of tthe
ep
privileged
eged to
token.
e
ƒ System shell, I win.
Hacking
g Kiosk Software
ƒ Who Here Has Ever Crashed a Web Browser?
ƒ What about crashing a Kiosk: ‘Emo-Kiosking’
Emo-Kiosking
ƒ Create an unhandled exception in a Kiosk browser.
ƒ Kiosk browser crashes
crashes, We get the desktop
desktop, We Win!
ƒ Rare situation: Application crash = highly critical vulnerability.
ƒ iKAT Contains Common Browser Crash Techniques.
ƒ Published
P bli h d exploits
l it which
hi h results
lt in
i a crash.
h
ƒ Fastest, easiest method of escaping a Kiosk.
ƒ Fairly reliable, 40%-50% of tested Kiosks crash.
ƒ Kiosks crash, or reboot.
Hacking
g Kiosk Software
ƒ Crashing Browser Plug-ins.
ƒ “Can
Can I create a .SWF
SWF file that can reliably crash a browser?”
browser?
ƒ Sequential byte file format fuzzing of the .SWF format.
ƒ Found multiple unhandled exception situations
situations.
ƒ Integer Divide By Zero.
ƒ Immediately
d
l un-exploitable,
l
bl reliably
l bl crash
h any browser.
b
ƒ Created ‘iKAT Auto Magic Flash Crasher’.
ƒ Is the Flash Plug
Plug-in
in Installed on The Kiosk?
ƒ iKAT can crash it, guaranteed, oh-day magic.
ƒ Adobe have resolved this issue in Flash Player 10 RC.
RC
Downloading
g Tools
ƒ Lets Assume Something Worked.
ƒ You have access to the Kiosk File system
system.
ƒ Command shell spawned, Common Dialog, Java installed, etc
ƒ What Now?
ƒ Download additional tools/binaries.
tools/binaries
ƒ How Do You Download Files In a Tool-less Environment.
ƒ Kiosk terminal will not have a copy of wget.exe present.
ƒ Internet Explorer is likely uninstalled or disabled.
ƒ File downloads disabled.
Downloading
g Tools
ƒ Old School: Downloading Files In Windows:
ƒ Using Common Dialogs
ƒ ‘Attach’ a remote file from a File-Open dialog.
ƒ FPSE/WebDAV to save the file locally
locally, and attach it
it.
ƒ Works
k From Any File->Open
l
Dialog.
l
ƒ File saved in a writeable location.
ƒ Temporary internet files.
ƒ Downloads any file type/size.
Downloading
g Tools
ƒ Use Flash To Download Files.
ƒ Most Kiosk’s
Kiosk s disable File Downloads with browser security policy
policy.
ƒ IE: Tools -> Internet Options -> Custom Level
ƒ Flash can be used to circumvent the browser policy.
ƒ Download method of the FileReference() object.
ƒ Flash does not validate browser security policy.
ƒ Very high success rate against Kiosks.
ƒ Another unpublished oh
oh-day
day trick.
trick
Downloading
g Tools
ƒ Notepad Can Download and Upload Files.
ƒ
File-> Open
ƒ http://test.com/trojan.txt
htt //t t
/t j t t
ƒ Content must be 7bit safe.
ƒ File-> Save
ƒ Upload content to a remote site.
ƒ FPSE/WebDav
ƒ http://www.ok.com/blah.txt
http://www ok com/blah txt
ƒ Quickly upload files from a Kiosk.
Kiosk
Downloading
g Tools
ƒ #1 Problem: Kiosk Hacking is a Tool less Environment
ƒ “iKAT
iKAT needs to provide tools for Kiosk hacking
hacking”.
ƒ Assorted Kiosk Hacking Tools:
ƒ Tools available as
ƒ .exe, .zip, Flash Download, 7bit Safe VBScript (.VBS/.VBE)!
Downloading
g Tools
ƒ Command Shell Detours:
ƒ How many ways to spawn a command shell on Windows?
cmd.exe
command.com
win.com cmd.exe
win.com command.com
Loadfix.com start.exe
sc create testsvc binpath=
"cmd
cmd /K start
start" type
type= own
type= interact
loadfix.com cmd.exe
loadfix.com command.com
start loadfix.com cmd.exe
start loadfix.com
command.com
start loadfix.com
cmd.exe
%COMSPEC%
ƒ Win.com? Loadfix.com? Start? Combinations of both?
ƒ Kiosk ACL’s typically
yp
y block cmd.exe from spawning.
p
g
ƒ What about command.com, win.com?
ƒ CMD Detours attempts 17 methods of invoking a shell.
ƒ Flawless at bypassing Kiosk ACL’s.
iKAT Reloaded
ƒ Officially Released at Defcon 16 Las Vegas.
ƒ Amazing success!
ƒ iKAT can pop shell on ANY Vegas Kiosk < 10 seconds
ƒ Who’s Been Using iKAT?
ƒ 14,000+
14 000+ unique hits,
hits 10-15%
10 15% of requests from Kiosks!
ƒ reception.sitekiosk.com, comm775-kiosknet-dhcp8.bu.edu & comm685-kiosknet-dhcp74.bu.edu
ƒ 12-46-54-181.seatac.seattwa.wayport.net, Aoc.ppx-bc2.hqda-aoc.army.pentagon.mil
ƒ Digger2.defence.gov.au,
Digger2 defence gov au Radisson-hotel-19.lax.customer.centurytel.net
Radisson-hotel-19 lax customer centurytel net
ƒ Security-lab1.juniper.net, Lan-116.181.coresecurity.com
ƒ Ustdc1.deloitte.com, Deloitteservices.deloitte.nl, Dh212.public.mod.uk
ƒ iKAT Portable Now Available!
ƒ Entire iKAT website in a zipp file
ƒ Useful for offsite penetration testers.
Pwnage!
g
Hacking
g Kiosks : The Demo’s
ƒ Two virtualized (commercial) Kiosk products.
ƒ Recommended Kiosk application configuration.
ƒ Default Windows XP install.
ƒ Using iKAT To Pop a Command shell
ƒ As Fast As Possible!
Conclusion
Questions?
Email me:
[email protected]
[email protected]