Exploiting the iBahn Site Kiosk system

[beakmyn]

I did not discover the initial exploit (print to image writer) and don't take credit for it. I'm just providing documentation for it and how I took it to the next step. I don't condone doing this and if you pay the $9.95 you won't have to do any of this.

Target: iBahn Site Kiosks Wardman Park Marriot, Washington, DC

Goal #1: Free access to the internet

Goal #2: Free access to the operating system

Goal #3: Root the box

The iBahn kiosk software is much like other kiosk systems. It runs on a standard PC and replaces the Explorer windows shell (start button, taskbar, etc) with its own. This, along with XP policies essentially prevents the user from exiting the kiosk system and gaining unauthorized access to the PC.

In most cases the interface will look like a web browser. Its look and feel is purposely similar to Internet Explorer. This keeps the concierge, desk attendant, et al from having to provide tech support. The kiosk software itself very configurable by the administrator and uses a text file configuration. This allows the whitelist/blacklist of websites for free access. Set up of the credit card payment systems (not done in-house but sent over the internet to a central server)* and all other conceivable administration tasks.

EXPLOIT #1A:

*Because of this, you can just pull the Ethernet cable and plug it into your device and have unrestricted access. However, you'll look pretty conspicuous running your laptop next to the kiosk.

In kiosk mode it’s locked down.

- You don’t have access to printing* (or at least you’re not supposed too).

- You can’t run any programs.

- Autorun is turned off - switchblade will not run :(

- No booting to CD or USB

- BIOS is password protected

- No safe mode

- XP Guest account access

So what do you get if you pay the $9.95 access fee? Well you’ll get internet and access to Microsoft Office (Word, Excel, and PowerPoint) and possibly other programs like Solitaire. Yep, pay $9.95 and you can play Solitaire!

Walking up the terminal you'll most likely spot a few things. Most everything on the menu bar is disabled and when you try to access a website other then those on the free whitelist you’ll be automatically redirected back to the home page. Now remember the browser is based on Internet Explorer which means some web tricks will work. I.E. those tricks associated with obscuring the URL in the address bar.

Tricks to obscure the URL

http://www.pc-help.org/obscure.htm

You CAN’T type in http://www.hak5.org

You CAN type in http://www.ibahn.com@www.hak5.org

Yes this will take you to hak5.org but any links you click on will be un-obscured and will redirect you to the kiosk home page. If you’ve you got a lot of time on your hands you could continuously re-obscure the URL. If you’re really smart you could try and perform as cross-scripting exploit so that you stay in the kiosk home page. Or if you’re even more cunning you could set up a website that will provide you with URL obstrufication automatically.

Now, if you read back a little bit you’ll notice I said “most everything on the menu bar is disabled…” This is key to our exploit. There are actually a few things that have to fall into place in order for this exploit to be successful. It seems that the programmers got a little careless and when you maximize the kiosk window the print button is no longer disabled.

So, you can print. What good is that, you ask? Well, if the default Microsoft Office install was performed then the “Microsoft Office Document Image Writer” printer driver is installed.  So, print the current web page and choose it as the printer. Once it finishes it will run the document imaging program.

So, we’ve escaped the kiosk software.

Now this program, being part of Microsoft Office has an option under the Tools menu to “Send Tex to Word”. After a bit of processing you’re now running Microsoft Word without having to pay for it. You’ve now got several avenues of exploitation available to you, which I’ll explain below

Step 1: Maximize Window
Step 2: Click on Print button
    Select “Microsoft Office Document Image Writer” as the printer.
Step 3: Tools > Send Text to Word
Step 4: Exploit!

Since the system is still pretty well locked down you won’t be getting a command shell or Explorer shell anytime soon, unless you keep reading.

EXPLOIT #1B: You can do what I did and go into VBA and make your own web browser using the Internet Activex Control and some text boxes and command buttons. But most people probably don’t know how to do that.

EXPLOIT #1C:

Insert > Hyperlink (Ctrl +K)
Address: http://www.hak5.org

But who uses Internet Explorer? Got that USB drive with portable Firefox on it? Make a hyperlink to your USB drive and run it or make a hyperlink to download it. Now you’ve got unrestricted Internet Access.

EXPLOIT #2:

If you know where the root drive is on windows (Hint: C:) you can insert a hyperlink to C:. It’s as easy as clicking on:

Insert (Ctrl +K) > Hyperlink: address c:

You’ve now got access to the root drive. Because of restrictions in place the drives don't automatically show up in file browse windows. You have to manually type them in. Good 'ole "security through obscurity"

You’re limited to the locks in place such as not being able to run task manager, cmd and other useful tools. But, that never stopped us before so head on over to systinternals.com and grab Process Explorer. Yep it’ll install and run. Now you start killing processes. There’s only 1 small problem killing the site kiosk software doesn’t allow you to run the explorer shell. That’s not a problem since being the resourceful person you are you’ve already surmised that if you can install programs then you can install shells, like blackbox for windows http://www.bb4win.org. Now you've got a program menu, system tray, clock all the stuff you really want.

EXPLOIT #3:

Getting Root

I did not try to gain root access but here’s my thoughts on this.

If you we’re paying attention when you ran process explorer or happened to look at the systray in Blackbox you would’ve notice that a VNC server is running. Being the curious little monkey you are you would’ve clicked on it and noticed that there is a password set.

Ponder this for a moment.

There’s an administrator password for the site kiosk (accessed through Ctrl+H, if I recall correctly), a BIOS password and a VNC password. We can assume with some certainty that they are all the same, or at least hope.  Which is the most easy to exploit?

Hint: it’s the little stars you’re looking at.

There are currently a couple different methods for exploiting a VNC server.

- Use one of the several asterisk password “unhide” programs.

- Obtain the password from the registry and crack it. Remember, the system won’t allow you to write to the registry but you can read you just have to figure out how ;)

- Perform a pentest exploit from the comfort of your room since you know the IP address of this PC. If you don't then you have no hope of doing any of the previous.

Good luck and once they fix this bug you'll have to pay your $9.95 (the first time ;) )

[SomeoneE1se]

W00t...

now to find one...

[beakmyn]

I know that this system is used at all Marriott hotels including, as I've been told, at Marriott hotels in Disney.

[Ferrywell]

if there would be any ibahn's in holland i would go there and try myself right away :P

But i have to wait till i visit t3h US of A sometime :)

[ttrickyy]

I was in DisneyWorld (Orlando FL) about a month ago and stayed at a small hotel place outside called Lake Buena Vista Resorts.  They had a (free) computer set up in the lobby that you could use and print stuff from, running CyberCafe.  It was interesting as it looked like it charged money, but if you talked to a staff member they would go to the terminal that controls it (master cybercafe terminal?) and allow access to the computer, so the timer was running and charging money, but you weren't paying for it.  Basically you got the computer for free if you asked.  A little unintuitive to me.

What I do remember is having to do a research paper and not finding the software that I wanted on the machine.  The web browsers of choice were Internet Explorer, Firefox, and one more (AOL I believe).  I used Firefox because it's my browser of choice and seemed like the least likely to be locked down and most likely to let me access.  Basically how I got access to Explorer is by browsing to my flash drive that I plugged in through Firefox. 

file:///E:/ got me to the root of my flash drive.  I took my PStart. exe file and saved it back onto my flash drive as PStart. exe (overwriting itself) and then opening that file after it finished downloading in order to get to my PStart menu, with all of my hacks and cracks and other implements with it.  If I remember correctly you could save any random file back on to the flash drive and then open up the folder in the Downloads window by right clicking on the downloaded file in the Downloads window and clicking "Open Download Location".  This may have thrown a "not allowed" error though, I can't remember.  I did get in though.

What I found was interesting was that in the Documents and SettingsAdminDesktop folder I found a bunch of run-of-the-mill hacking utilities that was (ostensibly) used by the installer to set up system policy.  I would have guessed that they would have this down to an image or something but apparently not.  If anyone is interested I can zip and upload the utiliities to share here.  (I uploaded everything of interest on the computer to my personal FTP, although that admittedly wasn't much as nobody was supposed to be able to access the local file system anyways. )

Hope this helps someone get more access somewhere.  I don't think this would let you circumvent CyberCafe (there's a good shot if you use Process Explorer or DTaskManager or something else powerful to kill/end/freeze the CyberCafe applications and services, but it may happen), but even if you can't get free access this will at least allow you to be more productive with your money you spent.  At least, I hope so.