Kiosk Hacking: When there is nothing else left
April 7, 2008 – 7:29 AMIn the tiger team operations we have been involved with, I often end up hacking through the least interesting systems. If you ask AP, a password-cracking ninja and master of hacking through simplicity, the less interesting the system is, the higher the chances to be insecure. A successful exploitation of these systems often leads to successful exploitation of the network and other adjacent systems. This post will concentrate on some theory and practicalities around what to do when penetration testing Kiosks when nothing else is left.
Why Kiosk? Kiosk are perfect for all kinds of scenarios. Everybody who has played enough with them knows that they are insecure no matter how much hardening you apply on them. They are also very much subjective to attack because the attacker has physical access as well. This means that tampering with the keyboard or any other input/output port is very much possible. Kiosk are uninteresting because they seem to provide very basic features and therefore they are being largely ignored. At the same time, they are highly interesting because people use them for all kinds of mission critical stuff without thinking twice about the confidentiality and security aspects of the operations they perform. Let’s not forget that Kiosk are to an extend backdoors to the network where they reside and the domains where they are controlled from.
The traditional ways of hacking Kiosks are well documented, yet unknown to the masses. The basic idea is to obtain some kind of access on the system which gives you enough flexibility to do whatever that needs to be done. The traditional ways are all based around the idea of escaping the standard GUI lockout. Usually Kiosks are locked so that the user can only use the features which are provided by the vendor but nothing else. Sometimes, Kiosk are not correctly locked which of course allows attackers to quickly gain access to Windows’ shell by using something like File -> Open dialog or any other mechanism which allows them to open Explorer shell/frame. This includes the Help system, the Open/Save/Save As features and pretty much everything else that deals with files, explorer and iexplorer. On some Kiosks, browsing through the file system is not possible but yet you can spawn executables by using Outlook, if it is Windows based, because Outlook is usually not blocked and you can add executable attachments to emails which when doubclicked are executed, etc. But that’s not all. There are other ways someone can gain access to a Kiosk or at least gain access to the data it holds or it may hold in the future.
