13

I am interested in potential/actual attacks against kiosk software.

I am not talking about physical access, or specifically designed kiosk operating systems or shells, bur rather software that runs over windows and attempts to prevent access. All too often this software runs on top of explorer and I wonder just how secure it could be, given that is the case?

One product for example, ShellPro I have had experience with. Just out of curiosity and playing around I managed to get task manager and a command prompt up. I could not access drive contents at all, but it was a custom dialog preventing access.

Running something on top of the OS like this would not seem to be a secure way of denying access, as if you can tap into any OS functionality then you will have access AFAIK.

What about running a script through an allowed application? JavaScript in the address bar? Windows Script Host? Macros?

Are there not many simple attacks against these kinds of software, or can they actually serve the purpose for which they are designed? Such software always seemed to me only useful against people who didn't have basic Windows knowledge, but I don't know if that perception is accurate at all.

Just how effective is such software and what ways can it be bypassed?

AviD
  • 72,138
  • 22
  • 136
  • 218
Sonny Ordell
  • 3,476
  • 9
  • 33
  • 56

3 Answers3

11

It will always vary depending on the application and implementation, however some of the ways in which these applications function can be quite effective at slowing down malicious users, and preventing breaking out of the Kiosk interface.

At the end of the day, physical access will always prevail with sufficient time and resources.

Kiosk countermeasures:

  • Whitelisting - processes, dialogs, windows
  • Process watching - checking running processes, terminating unknown and relaunching the kiosk app if it ends
  • Restrict execution of .exe's
  • Disabling commmon hotkeys and shortcuts
  • Disabling host functionality - e.g. Task Manager in Windows
  • Reducing underlying attack surface by removing unrequired software and applications, such as Java libraries
  • Restrict locations users can access, e.g. sites/domains in a web browser to only local or specified hosts. This could be implemented at a network/NAC layer rather than on the Kiosk host.

Possible Kiosk attacks will vary depending on the product and deployment in question, but some general ideas:

  • As you mentioned, bypass executable restrictions by launching through batch files (commonly restricted as well), flash, java, macros.
  • Where the user is restricted to a specific graphical application (e.g. browser), it may be possible to crash the browser through known vulnerabilities, such as in flash player.
  • Exploring gaps in restrictions for underlying host functionality, such as in IE Kiosk mode: (1) Save File/Target As, (2) Default Feeds in History, (3) Print to file, (4) New tab, link to help pages, (5) help functionality may allow launching of apps and services.

During a recent pentest on Internet Explorer in Kiosk mode I found this resource useful which references the iKAT Kiosk Attack Tool (note: NSFW image on iKAT page).

lew
  • 1,536
  • 8
  • 11
  • if the kiosk software is running in userspace just how effective can it be at preventing any of the stuff you list above, such as restricting execution of EXE's – Sonny Ordell Jun 11 '11 at 12:29
5

There was a really good talk at Security Bsides London on how a single setting in Microsoft Terminal Services would let you break in using Metasploit to any locked down RDP session. Appliable to kiosks too I would imagine if you can get on same subnet

http://www.slideshare.net/bsideslondon/breaking-out-of-restricted-rdp

Rakkhi
  • 5,783
  • 1
  • 23
  • 47
4

You might be interested in looking at sources of iKat which is a framework made just for attacking kiosks.

iKAT was designed to aid security consultants with the task of auditing the security of internet Kiosk terminals.

iKAT is designed to provide access to the underlying operating system of a Kiosk terminal by invoking native OS functionality.

It's set up as a webpage with links to various scripts helpful for exploiting browsers and/or plugins used for Internet browsing. So all you have to do is navigate to this in kiosk web browser and start exploring this resource. There is also a portable version to download. There is also a '1-click PWN' button.

There's many ways to attack - including downloading & running binaries, exploiting unpatched browser vulnerabilities, running Java/Silverlight plugins (you can deliberately give them access to the filesystem), running Media Player, PDF browser etc. Browsing through iKat will give you an idea of what ways can already be used to attack a kiosk system.

My guts tell me that there is no software that can successfully defend against all these attacks when the user wants to elevate privileges (i.e. wants "to be hacked") and the underlying OS/applications are not up-to-date with all security patches applied (and they aren't in real world kiosk appliances).

Community
  • 1
Krzysztof Kotowicz
  • 4,068
  • 20
  • 30