Tuesday, September 16, 2014

SiteKiosk - Breakout




SiteKiosk - Breakout

It has been a while since my last blog post, therefore I am going to share two possible bypasses for the software SiteKiosk on Windows. As the name suggests, it is a kiosk software ^^.
SiteKiosk is a software from Provision GmbH. It claims to have more than 250.000 installations world wide, which would make it to one of the most used software in the "Public Access Terminal Software" category.
It has a lot of features, but my only goal was to break out of the sandbox and start an external application.
In the end my findings produced a new beef modules.

Meet the enemy


Provision GmbH offers a trial version, which has nearly all features enabled. The only restriction is that it will sometimes annoy you with a 30 second timeout.
It uses IE as a rendering engine and has support for flash + PDF. So there is a lot to play with ;)

SiteKiosk greeting message

















The Bypasses

Step one: Get a file on the file system
Step two: Execute it!

Getting a file on the system

After some tests it turned out that SiteKiosk is pretty good at blocking any dialogs which are triggered by changing the location. It also blocks all of the handlers I tested like "its:" and "file:". Additionally it checks iframes too and blocks any dialogs.
But javascript is powerful and with this "power" comes the possibility to trigger downloads ;).
The function I am talking about is window.navigator.msSaveOrOpenBlob.
The first parameter is a blob, which represents the data. The second parameter is the file name

<script>
bb = new MSBlobBuilder();
bb.append("THE DATA");
window.navigator.msSaveOrOpenBlob(bb.getBlob(),"example.exe");
</script>

Click Download and the first step is done.

But there is another bypass, which is also really simple. I thought if javascript is able to trigger downloads, there is most likely another language, maybe a plugin, which could do the same.
Of course I am talking about flash and actionscript. Like javascript it can trigger a download dialog, which is not blocked by the sitekiosk sandbox. I will give an example code at the end of the text.
Next step, find a place to save the file and execute it.


Execution time

Javascript

So you can download file, whats next? There are different things you can do. In case of a download triggered by javascript, you need to find a location where you can save and execute an executable. I chose "C:\users\public\downloads". Most of the time the download dialog won't let you specify the location. To bypass this restriction, use shell:ProgramFiles in the address bar of the download dialog. It will change the address bar to "C:\Program Files". Now you can go back to C: and specify the location.

If you are lazy, you can trigger a download of a .hta file. HTA files are html applications, which are rendered by mshta.exe. Yes, by default it is not blocked. HTA are html files with all the power, which means they can execute any ActiveX Object. Additionally it does not matter where you save them, because they are interpreted by mshta.exe and not executed in the location they are saved (in contrast to .exe).

Flash

In case of flash you will see that after finishing the download there is no no run button and no dialog at all. In contrast to JavaScript, this behavior makes it more difficult to execute a file.
Another problem is that you can't do a double click in a download window, so you can't download a .exe, reopen the download window and double click it. But there is a way around this problem too.
To execute a .exe via a flash download do the following:
  1. Trigger the download via flash. Save the exe in any location.
  2. Trigger the download again. Rename the previously downloaded exe so that it will not be overwritten by the second download. So you end up with two executables in the same location.
  3. Open the download window a last time. But instead of specifying a location to save, you drag the icon of one executable into the other one. This will start the program and the other one is treated as an argument. It is like dragging a file into notepad.exe to open it. 

This trick only works for executables. But there is another way to start interpreted files like hta:

  1. Create on your local pc a lnk (a shortcut file), which points to "C:\windows\system32\mshta.exe". Trigger the download of this file via flash.
  2. Trigger the download of your hta script file. Save it in the same location as the previous downloaded file.
  3. Open the download window. Now you drag your .hta script file into the mshta.exe.lnk file. This will pass the file to the real mshta.exe, which is then executed. 

Protection

To protect your sitekiosk application you need to do 2 things.
First you need to block all possible script applications like mshta. This can be done with the System Security Assistent.
Second you need to lock down all location where it is possible to store and execute files. An example is C:\users\public\downloads.