A New Twist on Kiosk Hacking

Using iKat to pentest your kiosk before deployment

What does eating at Vegan restaurant and attending a four day conference in Waukegan on the external factors influencing paint drying times have in common? Let me be rude here and answer that question with another question; What is the difference between c:\windows, c:/windows/, file:/c:\windows\ and %WINDIR% if your answer is no difference in taste or suck factor then move to the highlighted square and continue your hack...

The above Windows commands are a tiny sample of the shortcuts I use in a browser to try and shuttle a shell on a kiosk. This is really just blacklist testing more then anything. I see kiosk all over the place and like anyone, I wonder what OS are they running and what their security posture is. My Grandmother used to tell me that anything that backs it self up against a wall and challenges the world is either crazy or knows something you don't. But I am drawn to that stuff like old folks to a casino. Many folks put kiosks in the same category as ATM's and that is a massively huge mistake.

When I see a kiosk, I’ve gotta hack it. I just want to see if I can shuttle a shell. IF I can do that, then I feel like a man again worthy of my Capt’n Crunch whistle. Then put on my Star Trek "I Grok Spock" backpack and move out to the next who shot first debate...

Since most kiosk are Windows based, I can use their common file linking to shuttle a shell back to me. When I get to a kiosk, I start looking for a way to break out of browser jail. I start plugging on to find the admin menu from the keyboard shortcuts. Some of my favs are Ctrl-Esc-F9, Ctrl-Alt-F8, Alt-Esc-F10 and Ctrl-Alt-F5. If those fail then I start look at using any Windows application to launch the common dialog functions. Things like Run As, hcp://system/sysinfo/sysConfigLaunch.htm and even native shell calls like shell:System will pop open dialogue window allowing me to escape out. Heck even the IE floating toolbar gives you great options, just hover over a picture and think differently...

Now this works mainly because function calls like open a file, save a file, change a font or color make a common library call to a file called COMDLG32.dll. This in turn invokes the call process from another library of control functions from COMCTL32.dll. This is of course easier to write code for developers and gives me a ton of application flexibility...or attack vectors... Although my little kiosk cheat sheet is fun to mess around with, if a coder writes a good blacklist then they can stop a lot of this stuff because the kiosk code jockeys know about folks like us and they do everything they can to monitor our input. Heck just switching to Firefox will stop many of these attacks. So kiosk hacking has been kinda boring and more work then we actually want to be seen doing. Hacking involves a lot of invisibility. Anyone can see me standing at a public kiosk for 10-30 minutes plugging away. Not good, not useful and not cool-e-o.

This problem presented itself to Paul Craig of New Zealand's Security Assessment. He thought, "You know I see an opportunity here for Royal Appointment...I want to be the King of Kiosk!" and not in a sleezy/douche baggy Donald Trump or Tim Robbins kinda way but a more honorable hacker one. He figured out that he needed to be shell out of the kiosk software in less then one minute. So instead of focusing on the blacklist that change all the time, he focused on not only COMDLG32.dll behavior but also exploiting IE process call from either WININET.dll or MSINET.ocx to the extreme. Knowing that his input is monitored but his web activity is not, he wrote an entire tool set and methodology on his website http://ikat.ha.cked.net/ (The header graphic is a bit racy and kinda NSFW but as Paul states; "This is NOT designed to be used for public kiosk") The tool is called iKat Interactive Kiosk Attack Tool and it is fantastic! It is designed to run in a web browser and exploit hundreds of options in a few clicks.

iKat starts with the basics we all know in security assessment:
- Recon: For inventorying installed apps, variables and settings
Then it walks it down to:
- Filesystem links, Common Dialogs, App handlers, etc.

iKat is so fast and efficient that you can click on one at a time and know if it was successful or not. There are even tools designed to crash the kiosk application if all else fails so you can be returned to a normal Windows screen. Paul has found around 18 different methods to shuttle a shell that completely bypasses most blacklist and acl controls.

The two things that really surprised me in using this awesome tool kit were:
- The ActiveX exploits. Now I know y'all maybe thinking, so what? ActiveX requires administrative rights to install and that is true...for IE 7.0 and lower. That's right IE 8.0 does not require administrative rights any longer...
- ClickOnce Applications developed under a .Net umbrella. ClickOnce allows me to run applications without admin rights and black lists do not block Application Run dialogue boxes. iKat really exploits this vulnerability with a vengeance. So much so, that I would say if a kiosk has apps built on .net CLR (95% do) it is game over.

Paul has had this tool set out there for a little over a year now. He has recently upgraded the entire tool set to v2.0. Sadly, the kiosk code jockeys response was predictable; they added http://ikat.ha.cked.net/ to a blacklist, so now it can also be found at: http://ikat2.ha.cked.net turn the page...

There are very few tools that I have had better then a 98% success rate with on one tool. iKat is just such a tool. If you are pen testing your network, please do not forget about the kiosk. (TJ Maxx flashback…) Paul really did an awesome job researching and coding this program up. He wanted to be King of Kiosk, (This is the interactive part of the blog: Press play on Motorhead's King of Kings NOW) I say, All Hail the King!

Before you deploy a kiosk on your network OR if you already have one deployed test it out with iKat and see what your results are. I am a huge believer in hacking your network before the hackers do and will. iKat is most powerful when used online, however, there is a portable version so you can test your systems before deployment, just make sure you remove these tools before deployment or you will be added to a Hacker's Christmas card list.

Jimmy Ray Purser

Trivia File Transfer Protocol
In the United States, each state is commissioned with designing the back of a quarter to celebrate that states heritage. New Hampshire said, hey let's put the rock formation "Old Man of the Mountain" on the back of ours. That was cool but in less then three years after it was released it crumbled. Bogus!

• Security
• cisco systems
• hacking
• Jimmy Ray Purser
• kiosk