Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Paul Craig
Principal Security Consultant
S
Security-Assessment.com
it A t
Bio
Who am I?
Paul
P l Craig
C i
Principal Security Consultant.
Security-Assessment.com, Auckland, New Zealand
Comments, Feedback?
Email: paul@ha.cked.net
Website: http://ha.cked.net
p //
Overview
Hacking Kiosks:
What is an Internet Kiosk.
Kiosk
Kiosk Software Security Model.
Tool Release.
Personal Objective:
Find every possible method of hacking Internet Kiosk terminals.
Become the King of Internet Kiosk Hacking!
What Is An Internet Kiosk
Hardware.
Kiosks
Ki k b built
ilt in
i tough
t h hard-shell
h d h ll cases.
Fibreglass, Steel, Thick MDF.
Lack of physical access to the underlying computer.
Input devices inaccessible (Floppy/DVD/USB/FireWire)
Kiosk bolted to the ground (padlocked).
Software.
Majority of Kiosks run commercial Windows Kiosk software
software.
Linux/BSD Kiosks exist, Windows more popular.
Kioskk Software
f Essentially
ll Skins
k Windows:
d
Kiosk browsers based on standard Internet Explorer libraries.
WINHTTP.DLL/MSINET.OCX
#2 – Graphically
G hi ll Jailed
J il d Into
I t a ‘Secure
‘S Kiosk
Ki k Browser’.
B ’
Kiosk users are stuck inside a Kiosk browser.
Kiosk browser ran in full screen, no ability to close, minimize.
Start Bar/Tray Menu removed or hidden.
Only thing you can do is browse the web.
Kiosk Securityy Model
Blacklist in
in-focus
focus Modal Dialogs.
Dialogs
Block dialogs by Window Title or Window Class.
“Save
“S Fil
File A
As”,
” “O
“Open With”
With”, “Confirm
“C fi Fil
File D
Delete”,
l t ” “P
“Print”.
i t”
WM_CLOSE Window message sent to the blacklisted dialog.
Dialog closes.
Kiosk Securityy Model
API Hooking.
Hook native OS API calls which can be used maliciously
maliciously.
KillProcess(), GetCommandLineW(), AllocConsole()
“Unauthorized
Unauthorized Functionality Detected
Detected, Process Killed”
Killed .
Watchdog Timer.
Every
E 5 minutes
i the
h Kiosk
Ki k will
ill enumerate allll active
i processes.
Terminate any unauthorized activity.
Kiosk Securityy Model
Custom Keyboard Driver.
Disable Windows shortcut key combinations.
combinations
CTRL-SHIFT-ESC (Task Mgr)
ALT-TAB (Switch Task)
CTRL-ALT-DELETE (Task Mgr)
CTRL-ESC (Start Menu)
Modifier Keys Unmapped
Unmapped. Alt F4 (Close Application)
Alt-F4
Blacklists
Bl kli t start
t t ffailing
ili about
b t now.
Hacking
g Kiosk Software
Using Common Dialogs To Hack Kiosks.
Windows contains ‘Common
Common Dialogs’
Dialogs libraries.
libraries
Saving a file, opening a file, selecting font, choosing a colour.
COMDLG32.DLL
COMDLG32 DLL (Common Windows Dialogs Library).
Library)
COMDLG32.DLL Implements Common Windows Controls.
From COMCTL32.DLL (Common
( Windows
d Controls
l Library)
b )
Restricted Sites
Internet Zone
Intranet Zone
Trusted Sites
Each
E h URL will
ill spawn explorer.exe
l and
d browse
b the
h web
b folder.
f ld
A Subtle Discovery…
Remote websites not factored into the Kiosk security model.
Websites are trusted MORE than a local Kiosk user!
http://ikat.ha.cked.net
Hacking
g Kiosk Software
What Can iKAT Do?
Kiosk Reconnaissance : Detect Installed Applications
JavaScript & res:// (resource) protocol handler.
Extract bitmap resources from PE executables
executables.
Verify bitmap presence and detect installed applications.
iKAT Contains
o a Signed
g d Kiosk
o Specific
p Java
a a Applets.
pp
Signed applets to spawn command shells.
Includes Jython by GNUCITIZEN.
GNUCITIZEN
Hacking
g Kiosk Software
Install a Malicious ActiveX
Safe for scripting ActiveX’s
ActiveX s can be used to compromise a Kiosk
Kiosk.
Unsafe method: object.execute(‘cmd.exe’);
Can we install a malicious ActiveX on the Kiosk?
iKAT ActiveX
Safe-for-scripting ActiveX which executes arbitrary executables.
Installingg an ActiveX requires
q administrative authority.
y
iKAT ActiveX gives you the ability to spawn a shell.
ActiveX is changing:
IE8 will not require admin rights for installing a new ActiveX.
ActiveX
Hacking
g Kiosk Software
iKAT & ClickOnce Applications
ClickOnce is .NET
NET 2.0+
2 0+ technology (.NET
( NET CLR 2+ required)
‘Online Application Deployment’ .application file handler.
Unsigned ClickOnce applications execute with full trust!
Admin privileges are not required!
Application Executor.
Spawn arbitrary executables
executables.
What Now?
Download additional tools/binaries.
tools/binaries
Works
k From Any File->Open
l Dialog.
l
File saved in a writeable location.
Temporary internet files.
Downloads any file type/size.
Downloading
g Tools
Use Flash To Download Files.
Most Kiosk’s
Kiosk s disable File Downloads with browser security policy
policy.
IE: Tools -> Internet Options -> Custom Level
File-> Open
http://test.com/trojan.txt
htt //t t /t j t t
Content must be 7bit safe.
File-> Save
Upload content to a remote site.
FPSE/WebDav
http://www.ok.com/blah.txt
http://www ok com/blah txt
Tools available as
.exe, .zip, Flash Download, 7bit Safe VBScript (.VBS/.VBE)!
Downloading
g Tools
Command Shell Detours:
How many ways to spawn a command shell on Windows?
cmd.exe command.com win.com cmd.exe win.com command.com
Loadfix.com start.exe sc create testsvc binpath= loadfix.com cmd.exe loadfix.com command.com
"cmd
cmd /K start
start" type
type= own
type= interact
start loadfix.com cmd.exe start loadfix.com start loadfix.com %COMSPEC%
command.com cmd.exe
Hacking
g Kiosks : The Demo’s
Two virtualized (commercial) Kiosk products.
Recommended Kiosk application configuration.
Default Windows XP install.
Questions?
Email me:
paul@ha.cked.net
paul.craig@security-assessment.com