Download - Attacking Internet Kiosks
-
8/14/2019 Attacking Internet Kiosks
1/41
Attacking Internet
Kiosks
Michael theprez98 Schearer
-
8/14/2019 Attacking Internet Kiosks
2/41
References
n This presentation is based upon the workof Paul Craig and his presentations
about hacking Internet kiosks atDEFCON16, ShakaCon 2009, andBruCon 2009 (www.security-assessment.com)
-
8/14/2019 Attacking Internet Kiosks
3/41
-
8/14/2019 Attacking Internet Kiosks
4/41
-
8/14/2019 Attacking Internet Kiosks
5/41
-
8/14/2019 Attacking Internet Kiosks
6/41
-
8/14/2019 Attacking Internet Kiosks
7/41
-
8/14/2019 Attacking Internet Kiosks
8/41
Internet Kiosk Hardware
n Public internet terminals found in hotels,airports, train stations, libraries, etc.
n Custom hard-shell case typically lackingphysical access to the computer
n Restricted ability for input
((Floppy/DVD/USB/FireWire)n Secured to ground
n Pay mechanism built into the kiosk
-
8/14/2019 Attacking Internet Kiosks
9/41
Internet Kiosk Software
n 40+ different commercial kiosk products;most are Windows-based
n Windows is made to look like a kioskterminal
n Implements standard Windows/Internet
Explorer librariesn Windows Functionality Wrapped In A
Kiosk Candy Shell
-
8/14/2019 Attacking Internet Kiosks
10/41
Kiosk security
n Kiosk vendors try to implement securityfeatures
n Security is also a functional requirement,and taken seriously
n Its also a selling point, secure Kiosks are
not cheap kiosks
-
8/14/2019 Attacking Internet Kiosks
11/41
Kiosk security model
n Kiosk software is based on a Principal of LeastPrivilege A kiosk user must ONLY have access to browse the
internet Kiosk software must prohibit all other activity
n Security implemented through two approaches: Functionality reduction by activity blacklist
n Prohibiting access to native OS functionalityn
Anything not required to browse the internet User interface security/sandboxing
n Graphically jailing a user into a kiosk interface/GUIn Kiosk software is ran in full screenn Start bar/tray menu removedn No ability to click out of, or escape the kiosk browser
-
8/14/2019 Attacking Internet Kiosks
12/41
Kiosk security model examples
n Browser runs in high security mode
n Keyboard driver disables special shortcuts
n Custom mouse disables right-clickn Timer monitors usage of blacklisted apps
-
8/14/2019 Attacking Internet Kiosks
13/41
-
8/14/2019 Attacking Internet Kiosks
14/41
-
8/14/2019 Attacking Internet Kiosks
15/41
Core security issues
n Blacklists dont work
n Websites visited from the Kiosk are not
factored into the security modeln Underlying browser technology
implements security by User
Interaction
-
8/14/2019 Attacking Internet Kiosks
16/41
Blacklists dont work
n 100 different ways to do anything on anyOS!
n A Kiosk blacklist must stop EVERYmethod, they dont
-
8/14/2019 Attacking Internet Kiosks
17/41
Windows is flexible
File:/C:/windows
File:/C:\windows\
File:/C:\windows/
File:/C:/windows
File://C:/windows
File://C:\windows/
file://C:\windows
C:/windows
C:\windows\
C:\windows
C:/windows/
-
8/14/2019 Attacking Internet Kiosks
18/41
Websites visited from the Kiosk are
not factored into the security modeln Kiosk rely on default browser security
policy when dealing with remote sites
n This policy was not designed for aKiosk/public environment
-
8/14/2019 Attacking Internet Kiosks
19/41
Browser technology implements
security by User Interactionn Browser will trust the Kiosk user
n Are you sure you want to run this?
n Dont trust what I say!
-
8/14/2019 Attacking Internet Kiosks
20/41
Attack vectors
n Physical input Interacting with the kiosk GUI
Using the keyboard and mouseClicking buttons, graphics, menus
Typing values into the URL bar if available
n
Remote inputRemote browser content
Input from a website
-
8/14/2019 Attacking Internet Kiosks
21/41
Method of attack
1.Escape the kiosk graphical jailMinimize or close the Kiosk browser
applicationPop a command shell. : taskkill /IM
KioskBrowser.exe
Enable the hidden (real) Windows Start bar
Get Back To Windows2.Download additional binaries to the kiosk
Port scanner, Metasploit, rootkit, trojan,keylogger
-
8/14/2019 Attacking Internet Kiosks
22/41
Physical escapes of kiosk jail
n Use the URL bar to browse the file system
n Invoke the File View control to enable
Windows Explorer capabilitiesn IE Image Toolbar
n Keyboard shortcuts (including kiosk-
specific shortcutsn Etc.
-
8/14/2019 Attacking Internet Kiosks
23/41
-
8/14/2019 Attacking Internet Kiosks
24/41
Remote escape solution?
Interactive Kiosk Attack Tooln Kiosk reconnaissancen Display local browser variablesn
Display remote server variablesn Invoke dialogs with JavaScript/HTMLn Use Flash to create Common Dialogsn Spawning applications
n Downloading files using native Windowsfunctionality
-
8/14/2019 Attacking Internet Kiosks
25/41
-
8/14/2019 Attacking Internet Kiosks
26/41
So you can imagine what
happened next
-
8/14/2019 Attacking Internet Kiosks
27/41
-
8/14/2019 Attacking Internet Kiosks
28/41
Predictably, SiteKiosk has
blocked iKAT
-
8/14/2019 Attacking Internet Kiosks
29/41
-
8/14/2019 Attacking Internet Kiosks
30/41
Solution 1: iKAT Portable
n complete copy of the iKAT website
n free of charge, no strings attached, 100%
malware freen Run your own version, host iKAT portable
and become a Kiosk wizard
n extract it to a web server capable ofserving static content
-
8/14/2019 Attacking Internet Kiosks
31/41
Solution 2: Change the address
n Instead ofikat.ha.cked.net, tryikat2.ha.cked.net
-
8/14/2019 Attacking Internet Kiosks
32/41
Success!so far
-
8/14/2019 Attacking Internet Kiosks
33/41
Lets play around withSiteKiosk
-
8/14/2019 Attacking Internet Kiosks
34/41
but
n SiteKiosk has really gone overboard todevelop security countermeasures
specific to iKATn It turns out that SiteKiosk can be exploited
You can crash SiteKiosk with vbscript, but
You still cannot run cmd.exe or access anysystem functions
-
8/14/2019 Attacking Internet Kiosks
35/41
(I found this out about11:30PMlast night)
-
8/14/2019 Attacking Internet Kiosks
36/41
Temporarily sidetracked, butdo you really think Im going to
give up? SiteKiosk isnt theonly kiosk software outthere
-
8/14/2019 Attacking Internet Kiosks
37/41
How about NetStopPro(to be fair, I started playing
with NetStopProabout12:15amthis morning. Justso you dont expect too
much)
-
8/14/2019 Attacking Internet Kiosks
38/41
-
8/14/2019 Attacking Internet Kiosks
39/41
-
8/14/2019 Attacking Internet Kiosks
40/41
-
8/14/2019 Attacking Internet Kiosks
41/41
Attacking Internet
Kiosks
Michael theprez98 Schearer