Rage Against the Kiosks

0 %
100 %
Information about Rage Against the Kiosks

Published on May 27, 2016

Author: blazeinfosec

Source: slideshare.net

1. O MAIOR EVENTO DE HACKING, SEGURANÇA E TECNOLOGIA DO BRASIL DO CONTINENTE

2. Rage Against the Kiosks Tiago Ferreira

3. INTRODUCTION 27/05/2016 3

4. $ whoami • Co-founder and security engineer at Blaze Information Security. • Been around in the security community and industry for 10 years now • I’ve worked in security companies in Brazil and abroad • I do security research (exploitation techniques, tools and hacking stuff) • I am a drummer m/ • I used to have a cool moustache! 27/05/2016 4

5. PRESENTATION ROADMAP 27/05/2016 5

6. $ cat agenda.txt 27/05/2016 6 • A brief overview of kiosk systems and restricted environments • Understanding the security model of kiosks • Breaking out of environment restrictions • Real life kiosk hacking

7. A BRIEF OVERVIEW OF KIOSK SYSTEMS 27/05/2016 7

8. KIOSKS 27/05/2016 8 In many cases they sit in public areas but are largely unattended for long periods of time

9. KIOSKS 27/05/2016 9 Kiosks are popular in airports, waiting areas, hotel lobbies and museums, to name a few.

10. KIOSKS 27/05/2016 10 Use cases include browsing the web, sending e-mails, printing photos or used to query for information

11. 27/05/2016 11 Depending on the use case it may be connected to the internal or corporate network KIOSKS

12. UNDERSTANDING THE SECURITY MODEL OF KIOSKS 27/05/2016 12

13. Hardware 27/05/2016 13 • In general it is inside a physically fortified box • Restricts external devices by blocking USB ports (depending on the use case) • Sometimes it has its own keyboard without special keys like AltGr, Fn, etc.

14. Software 27/05/2016 14 • Tries to limit a feature-rich environment like an OS into a restricted subset of functionality • Most restrictions are imposed on user interface For example: non-existent Start menu, apps execute in full screen with no possibility to minimize, watchdog monitors certain APIs to close modal boxes, disallow right click, etc.

15. Browser-based 27/05/2016 15 • Many kiosk software monitors the URLs entered into the browser: blacklist approach • Also, many restrict the users to a certain set of sites (sometimes search engines are allowed) • Installation of plugins and extensions are forbidden • File downloads are usually restricted, too

16. 27/05/2016 16 BREAKING OUT OF ENVIROMENT RESTRICTIONS

17. Break-out overview 27/05/2016 17 • Kiosks and restricted environments are usually not well configured enough, numerous ways to circumvent its security • Successful exploitation results in effective violations of security boundaries

18. 27/05/2016 18 • Even if only horizontal privilege escalation (not obtaining admin-level), from restricted to ability to interact with OS and filesystem is a huge step towards full compromise • Automated tools like iKAT work very well, but newer kiosks patched many of the,vulnerabilities Break-out overview

19. 27/05/2016 19 EVEN THE SIMPLEST APPLICATION CAN HAVE FEATURES THAT CAN BE ABUSED TO ESCAPE THE RESTRICTIONS IMPOSED BY THE KIOSK SOFTWARE Rule of thumb

20. 27/05/2016 20 High level methodology • Invoking functionality that can be useful to escape restrictions • Obtain a dialog box (e.g., Save As, Printer, Open, Tools/Configuration) • From dialog boxes we can find other intended functionality to abuse and achieve our goal • Play around with keyboard shortcuts such as CTRL+P, Windows+R (execute), Windows+S (save), etc.

21. 27/05/2016 21 High level methodology • Map all 3rd party apps that can be called from the browser (Office, PDF readers, etc.) • Office (MS Word, Excel) contain not only interesting menus but also have the ability to execute documents with active content like macros • Try downloading files from the browser and see how it goes

22. 27/05/2016 22 High level methodology • Try to install a browser extension/plugin – a malicious extensions can give you access to the underlying OS. • Unusual file paths are useful to bypass black- lists used in monitoring watchdogs. • Protocol handlers like file://, telnet://, ldap://, are your friend.

23. 27/05/2016 23 High level methodology

24. 27/05/2016 24 High level methodology • Browser-specific chrome:// URLs are your friend too. • Downloads chrome://mozapps/content/downloads/downloads.xul • Clear history chrome://browser/content/sanitize.xul • Cookies chrome://browser/content/preferences/cookies.xul • Connection Settings - chrome://browser/content/preferences/connection.xul • Saved Passwords chrome://passwordmgr/content/passwordManager.xul

25. 27/05/2016 25 High level methodology

26. 27/05/2016 26 High level methodology • Crash the kiosk software and good bye to the monitoring watchdog • Crash the browser with a client-side exploit and chances are you’ll have access to the desktop

27. REAL LIFE KIOSK HACKING 27/05/2016 27

28. 27/05/2016 28 Threat Modeling • Identify potential attack surface • Keyboard (physical, virtual) • USB device • Network Interface Card • Browser resources (extension, internals) • User input (fuzzing, payloads)

29. 27/05/2016 29 Porteus Kiosk • It is possible to choose Firefox or Google Chrome • Pretty well locked down against most attacks • However, restriction to chrome:// URLs are not properly enforced • It can be abused by client side attacks

30. 27/05/2016 30 InstantWeb Kiosk

31. 27/05/2016 31 InstantWeb Kiosk • Based on Chromium • Claims to be hacker-safe and malware-proof. So let’s debunk the claim. • Unrestricted access to file:// making filesystem browsing easy • Allows removal and installation of arbitrary Chrome extensions • Download and execute a .deb file and it’s easy to

32. 27/05/2016 32 Netkiosk • Based on Internet Explorer • Unrestricted file access manipulating URI scheme • It is easy to crash the main process (URI fuzzing)

33. 27/05/2016 33 References • http://developer.mozilla.org (The chrome URL) • Paul Craig - Hacking Internet Kiosk’s (Defcon) • IKAT Tool

34. Obrigado! tiago@blazeinfosec.com http://br.linkedin.com/in/tiagoferreirasecurity #dontstophacking

Add a comment

Related presentations

Related pages

Brucon 2009: Rage Against The Kiosk 1/6 - YouTube

Clip 1/6 Speaker: Paul James Craig My name is Paul Craig, and I am the self proclaimed "King of Kiosk Hacking". Last year at Defcon 16, I ...
Read more

Rage Against the Kiosk : Paul James Craig : Free Download ...

Search the history of over 484 billion pages on the Internet. search Search the Wayback Machine
Read more

Rage Against The Kiosk (Brucon 2009) - Securitytube

Rage Against The Kiosk (Brucon 2009) Rage Against The Kiosk (Brucon 2009) Tweet Description:

This talk titled " Read more

Rage Against The Kiosk - Paul Craig - BruCON 2009 on Vimeo

My name is Paul Craig, and I am the self proclaimed "King of Kiosk Hacking". Last year at Defcon 16, I released iKAT v1.0 (The Interactive Kiosk Attack…
Read more

Rage Against the Machine: »Killing in the Name« — der Freitag

Manchmal reichen sechs Zeilen, um alles zu sagen. Der Song »Killing in the Name« von Rage Against the Machine attackiert Rassismus und ...
Read more

Rage Against The Machine – Live At The Grand Olympic ...

Rage Against The Machine – Live At The Grand Olympic Auditorium DVD. 02. Februar 2004 von Ramona Achten teilen. teilen. twittern. teilen.
Read more

Patricia Greig: Rage against machines - Travel - NZ Herald ...

I would rather be greeted by a row of Daleks than face the menace of an airport foyer filled with self check-in kiosks. I'm not sure who thought it was a ...
Read more

Why Americans Shouldn't Rage Against the Machine | News ...

Why Americans Shouldn't Rage Against the Machine. ... When it comes to technology like kiosks, it's foolish to rage against the machine.
Read more

Rage Against The Machine live bei Rock im Park 2000 ...

Nachdem ich eben noch mal Rages tragikomische Wirklichkeit gewordene Voraussage aus dem Jahre 1999 hörte, machte ich mich begeistert auf die Suche nach ...
Read more