When I wore a much younger man's clothes running and ripping thru the hills of Tennessee, I learned a lot of life's lessons that I really did not realize until I had less hair and more waistline. There is no tellin' just how much lunch money I lost playing Bingo Pinball machines http://oldbinger.com/ . I just loved 'um! Of course after my Dad found out I was not eating lunch at school (in a town of will work and allow you to shell out.
Now this works on a TON of Windows apps (Media Player, IE, Notepad, Help and Support Center, Embedded Flash,etc...) mainly because when function calls like open a file, save a file, change a font or color they make a common library call to a file called COMDLG32.dll. This in turn invokes the call process from another library of control functions from COMCTL32.dll. This is of course easier to write code for and gives me a ton of application flexibility...or attack vectors... Now look here, this method is marginally effective. If a coder writes a good blacklist then they can stop a lot of this stuff because the kiosk code jockeys know about folks like us and they do everything they can to monitor our input. So kiosk hacking has been kinda boring and more work then we actually want to be seen doing. See hacking involves a lot of invisibility. Anyone can see me standing at a kiosk for 10-30 minutes plugging away. Not good, not useful.
This problem presented itself to Paul Craig of New Zealand's Security Assessment. He thought, you know, I want to be the King of Kiosk! He figured out that he needed to be shell out of the kiosk software in less then one minute. So instead of focusing on the blacklist that changes all the time, he focused on not only COMDLG32.dll behavior but also exploiting IE process call from either WININET.dll or MSINET.ocx to the extreme. Knowing that his input is monitored but his web activity is not, he wrote an entire tool set and methodology on his website http://ikat.ha.cked.net/ (The header graphic is a bit racy and kinda NSFW) The tool is called iKat Interactive Kiosk Attack Tool and it is fantastic! It is designed to run in a web browser and exploit hundreds of options in a few clicks. iKat starts with the basics we all know in security assessment:
- Recon: For inventorying installed apps, variables and settings
Then it walks it down to:
- Filesystem links, Common Dialogs, App handlers, etc.
iKat is so fast and efficient that you can click on one at a time and know if it was successful or not. There are even tools designed to crash the kiosk application if all else fails so you can be returned to a normal Windows screen.
The two things that really surprised me in using this awesome tool kit were:
- The ActiveX exploits. Now I know y'all maybe thinking, so what? ActiveX requires administrative rights to install and that is true...for IE 7.0 and lower. That's right IE 8.0 does not require administrative rights any longer...a plan for the future.
- ClickOnce Applications developed under a .Net umbrella. ClickOnce allows me to run applications without admin rights and black lists do not block Application Run dialogue boxes. iKat really exploits this vulnerability with a vengeance. So much so, that I would say if a kiosk has apps built on .net CLR (95% do) it is game over.
There are very few tools that I have had better then a 98% success rate with on one tool. iKat is just such a tool. Paul really did a awesome job researching and coding this program up. He wanted to be King of Kiosk, I say, All Hail the King! Before you deploy a kiosk on your network OR if you already have one deployed test it out with iKat and see what your results are. I am a huge believer in hacking your network before the hackers do and will. iKat is most powerful when used online, however, there is a portable version so you can test your systems before deployment, just make sure you remove these tools before deployment.
So...back to the original question, Crazy or knows something you do not?
Jimmy Ray Purser
Trivia File Transfer Protocol
In the United States, each state is commissioned with designing the back of a quarter to celebrate that states heritage. New Hampshire said, hey let's put the rock formation "Old Man of the Mountain" on the back of ours. That was cool but in less then three years after it was released it crumbled. Bogus!