beakmyn Posted April 4, 2008 Share Posted April 4, 2008 I did not discover the initial exploit (print to image writer) and don't take credit for it. I'm just providing documentation for it and how I took it to the next step. I don't condone doing this and if you pay the $9.95 you won't have to do any of this. Target: iBahn Site Kiosks Wardman Park Marriot, Washington, DC Goal #1: Free access to the internet Goal #2: Free access to the operating system Goal #3: Root the box The iBahn kiosk software is much like other kiosk systems. It runs on a standard PC and replaces the Explorer windows shell (start button, taskbar, etc) with its own. This, along with XP policies essentially prevents the user from exiting the kiosk system and gaining unauthorized access to the PC. In most cases the interface will look like a web browser. Its look and feel is purposely similar to Internet Explorer. This keeps the concierge, desk attendant, et al from having to provide tech support. The kiosk software itself very configurable by the administrator and uses a text file configuration. This allows the whitelist/blacklist of websites for free access. Set up of the credit card payment systems (not done in-house but sent over the internet to a central server)* and all other conceivable administration tasks. EXPLOIT #1A: *Because of this, you can just pull the Ethernet cable and plug it into your device and have unrestricted access. However, you'll look pretty conspicuous running your laptop next to the kiosk. In kiosk mode it’s locked down. - You don’t have access to printing* (or at least you’re not supposed too). - You can’t run any programs. - Autorun is turned off - switchblade will not run :( - No booting to CD or USB - BIOS is password protected - No safe mode - XP Guest account access So what do you get if you pay the $9.95 access fee? Well you’ll get internet and access to Microsoft Office (Word, Excel, and PowerPoint) and possibly other programs like Solitaire. Yep, pay $9.95 and you can play Solitaire! Walking up the terminal you'll most likely spot a few things. Most everything on the menu bar is disabled and when you try to access a website other then those on the free whitelist you’ll be automatically redirected back to the home page. Now remember the browser is based on Internet Explorer which means some web tricks will work. I.E. those tricks associated with obscuring the URL in the address bar. Tricks to obscure the URL http://www.pc-help.org/obscure.htm You CAN’T type in http://www.hak5.org You CAN type in http://firstname.lastname@example.org Yes this will take you to hak5.org but any links you click on will be un-obscured and will redirect you to the kiosk home page. If you’ve you got a lot of time on your hands you could continuously re-obscure the URL. If you’re really smart you could try and perform as cross-scripting exploit so that you stay in the kiosk home page. Or if you’re even more cunning you could set up a website that will provide you with URL obstrufication automatically. Now, if you read back a little bit you’ll notice I said “most everything on the menu bar is disabled…” This is key to our exploit. There are actually a few things that have to fall into place in order for this exploit to be successful. It seems that the programmers got a little careless and when you maximize the kiosk window the print button is no longer disabled. So, you can print. What good is that, you ask? Well, if the default Microsoft Office install was performed then the “Microsoft Office Document Image Writer” printer driver is installed. So, print the current web page and choose it as the printer. Once it finishes it will run the document imaging program. So, we’ve escaped the kiosk software. Now this program, being part of Microsoft Office has an option under the Tools menu to “Send Tex to Word”. After a bit of processing you’re now running Microsoft Word without having to pay for it. You’ve now got several avenues of exploitation available to you, which I’ll explain below Step 1: Maximize Window Step 2: Click on Print button Select “Microsoft Office Document Image Writer” as the printer. Step 3: Tools > Send Text to Word Step 4: Exploit! Since the system is still pretty well locked down you won’t be getting a command shell or Explorer shell anytime soon, unless you keep reading. EXPLOIT #1B: You can do what I did and go into VBA and make your own web browser using the Internet Activex Control and some text boxes and command buttons. But most people probably don’t know how to do that. EXPLOIT #1C: Insert > Hyperlink (Ctrl +K) Address: http://www.hak5.org But who uses Internet Explorer? Got that USB drive with portable Firefox on it? Make a hyperlink to your USB drive and run it or make a hyperlink to download it. Now you’ve got unrestricted Internet Access. EXPLOIT #2: If you know where the root drive is on windows (Hint: C:) you can insert a hyperlink to C:. It’s as easy as clicking on: Insert (Ctrl +K) > Hyperlink: address c: You’ve now got access to the root drive. Because of restrictions in place the drives don't automatically show up in file browse windows. You have to manually type them in. Good 'ole "security through obscurity" You’re limited to the locks in place such as not being able to run task manager, cmd and other useful tools. But, that never stopped us before so head on over to systinternals.com and grab Process Explorer. Yep it’ll install and run. Now you start killing processes. There’s only 1 small problem killing the site kiosk software doesn’t allow you to run the explorer shell. That’s not a problem since being the resourceful person you are you’ve already surmised that if you can install programs then you can install shells, like blackbox for windows http://www.bb4win.org. Now you've got a program menu, system tray, clock all the stuff you really want. EXPLOIT #3: Getting Root I did not try to gain root access but here’s my thoughts on this. If you we’re paying attention when you ran process explorer or happened to look at the systray in Blackbox you would’ve notice that a VNC server is running. Being the curious little monkey you are you would’ve clicked on it and noticed that there is a password set. Ponder this for a moment. There’s an administrator password for the site kiosk (accessed through Ctrl+H, if I recall correctly), a BIOS password and a VNC password. We can assume with some certainty that they are all the same, or at least hope. Which is the most easy to exploit? Hint: it’s the little stars you’re looking at. There are currently a couple different methods for exploiting a VNC server. - Use one of the several asterisk password “unhide” programs. - Obtain the password from the registry and crack it. Remember, the system won’t allow you to write to the registry but you can read you just have to figure out how ;) - Perform a pentest exploit from the comfort of your room since you know the IP address of this PC. If you don't then you have no hope of doing any of the previous. Good luck and once they fix this bug you'll have to pay your $9.95 (the first time ;) ) Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.