KIOSK machines are self-service endpoints that allow users to complete tasks on their own, at their preferred pace and time. These machines bring a restricted user experience, also known as KIOSK mode, which is discussed further in this blog. It provides a fully immersive and interactive experience.
KIOSKs are not always supervised by humans; they complement an existing service already offered by the kiosk owner. For example, some services by a company are given to the general public to perform tasks like bill payments, ticket booking, airport self-check-in system (which are electronic KIOSK that acts much like automated teller machines (ATMs)), and many more. This allows the consumer to execute these tasks independently without waiting in line at a counter.
What is KIOSK Mode?
KIOSK mode is a mode that is offered by different web browsers and some applications. This allows the browser or an application to be viewed on full screen without other interfaces, such as a toolbar or menu. The purpose is to run the content on the entire screen and prevent the user from using the screen or kiosk for any other purpose.
One of the common KIOSK modes offered by Windows IoT Enterprise allows users to build fixed-purpose devices such as ATMs, point-of-sale terminals, medical devices, or kiosks. Kiosk mode helps you create a dedicated, locked-down user experience on these fixed-purpose devices. Windows IoT Enterprise offers a set of different locked-down features for public or specialized use, such as:
- Assigned access single-app kiosks.
- Assigned access multi-app kiosks.
- Shell launchers.
If not using Windows IoT Enterprise, you can also use any open-source lockdown software such as Linutop kiosk software (For Linux), OpenKiosk (For Linux), or FontFace(For Windows) Lockdown. Also, browsers can be launched in KIOSK mode.
For Example:
Mozilla Firefox, we can use the –the kiosk argument to launch the application, and it will be launched in KIOSK mode.
“C:\Directory Of FireFox\firefox.exe” –kiosk https://www.microsoft.com/
Launching Firefox in KIOSK Mode in Windows
Microsoft Edge also supports KIOSK mode and can be launched by the following command.
msedge.exe –kiosk www.microsoft.com –edge-kiosk-type=fullscreen
Or
msedge.exe –kiosk www.microsoft.com –edge-kiosk-type=public-browsing
KIOSK Vulnerabilities and Breakout Techniques:
In KIOSK-related vulnerabilities, we are mostly going to discuss the techniques by which a user can get out of the restricted access of the KIOSK mode rather than Zero Day Exploits for a particular system to Command/Code Execution in a system. Below, we will discuss the misconfigurations that allow users to get out of the restricted access of the system to get the command prompt executed.
Interrupting the boot process
When we approach a KIOSK, unusually, we will witness the operating system booting/rebooting. But it’s easy to make this happen by performing a hard reboot by pulling the plug and reapplying power. Through this hard boot, we learn what operating kiosk hack system the KIOKS is running, and the boot screens may give you some ideas on how to go about interrupting the boot process. Also, sometimes it can give access to the BIOS screen.
Some of the information we can get out of this process are listed below:
- Which operating system is it running?
- Does the boot process allow keyboard input (assuming a keyboard is installed)? If yes, try entering into BIOS by key combination according to OS.
- Will the BIOS allows the kiosk to boot from an alternative media like a DVD or USB drive? This is only relevant if the ports on the kiosk are exposed.
- Does the kiosk automatically log into a user account? In the case of Windows, holding down the SHIFT key will often disable the auto-login and potentially allow you to log into a different user account.
USB Interface
KIOSK is no more than a PC or tablet sitting on a desk with all its USB ports exposed. An attacker can insert a USB stick that can potentially load malware on the KIOSK by taking advantage of a security flaw known as BadUSB.
Things to be noted during this are as follows:
- Check if USB is enabled and make your USB bootable using “Konboot.” This will give access to the file system directly without any Windows login.
- Check if USB is enabled; try to run unauthorized code (exe or batch file) directly from the USB or use the USB’s auto-run feature.
- Check for keyboard emulations or keystroke injections using a rubber ducky.
Keyboard Input
A KIOSK touchscreen keyboards are not good for testing keyboard input, but if we get access to a physical keyboard, it can give us many options. KIOSKs that collect a lot of information from customers (i.e., a job application kiosk) will often include a physical keyboard to speed up the data entry process. If the kiosk has any of its USB ports exposed, then you may be able to attach a physical keyboard.
We can test this by the followings:
Try to exit from kiosk mode with the help of hotkeys [Alt+F4 (close active window) and Win+Ctrl, Alt+Tab, and Alt+Shift+Tab (switch task)].
Running Browser in KIOSK mode
Press Alt+Tab
After Pressing We can access other Programs Running in the Background
Using Alt+Tab to switch Between Tasks.
- Try pressing the SHIFT key 5 times to get access to the sticky-key feature.
Running Browser in KIOSK mode.
Pressing Shift Key for 5 times.
After Pressing we will get this Dialog box.
By Clicking on Disable this keyboard shortcut in Ease of Access keyboard settings we get access to window s settings
Here we can verify that the windows settings can be edited.
Pressing Sticky Keys for 5 time to get access of the windows Settings
c. Check for high contrast mode (Left Alt-Left Shift-Print Screen) can render the kiosk nearly unusable if the user doesn’t know how to disable them.
d. Some other shortcuts we can use are as follows:
• Sticky Keys – Press SHIFT 5 times,
• Mouse Keys – SHIFT+ALT+NUMLOCK
• High Contrast – SHIFT+ALT+PRINTSCN
• Toggle Keys – Hold NUMLOCK for 5 seconds
• Filter Keys – Hold right SHIFT for 12 seconds
• WINDOWS+F1 – Windows Search
• WINDOWS+D – Show Desktop
• WINDOWS+E – Launch Windows Explorer
• WINDOWS+R – Run
• WINDOWS+U – Ease of Access Centre
• WINDOWS+F – Search
• SHIFT+F10 – Context Menu
• CTRL+SHIFT+ESC – Task Manager
• CTRL+ALT+DEL – Splash screen on newer Windows versions
• F1 – Help F3 – Search
• F6 – Address Bar
• F11 – Toggle full screen within Internet Explorer
• CTRL+H – Internet Explorer History
• CTRL+T – Internet Explorer – New Tab
• CTRL+N – Internet Explorer – New Page
• CTRL+O – Open File
• CTRL+S – Save CTRL+N – New RDP / Citrix
Launching additional applications using Save As/Print Functionality.
In many cases, the kiosk application developer does not want any other applications to be able to run because they could potentially allow the user to gain elevated access to the file system. For example, clicking on an email link could launch a default mail application which in turn allow the user to browse the file system using email attachments.
In the case where the kiosk makes use of a web browser to display its content, you could try clicking on links for email addresses, phone numbers, and PDF documents.
Any action that would bring up the “Save As” dialog and grant you the ability to explore the file system. For example, printing a document may give you the option to print to a PDF or Microsoft XPS Document Writer which will then prompt you where you’d like to save the file.
Running Browser in KIOSK mode.
By Right Clicking on the Website we get the Function to SaveAs
In the Explorer we can verify that we are getting access of C:\Windows\System32 Directory in which we get cmd.exe
Right Clicking on the cmd.exe we can try to run the cmd.exe.
After opening the cmd.exe we can verify that the command prompt is getting executed.
Abusing SaveAs Functionality to Launch cmd.exe
Web Browser Manipulation.
If the kiosk makes use of a web browser to display its content, you may be able to gain access to the file system or view websites other than what the kiosk application developer intended.
Using Shell Protocol:
Type these URLs to obtain an Explorer view:
• shell:Administrative Tools
• shell:DocumentsLibrary
• shell:Libraries
• shell:UserProfiles
• shell:Personal
• shell:SearchHomeFolder
• shell:NetworkPlacesFolder
• shell:SendTo
• shell:UserProfiles
• shell:Common Administrative Tools
• shell:MyComputerFolder
• shell:InternetFolder
• Shell:Profile
• Shell:ProgramFiles
• Shell:System
• Shell:ControlPanelFolder
• Shell:Windows
• shell:{21EC2020-3AEA-1069-A2DD-08002B30309D} à Control Panel
• shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D} à My Computer
• shell:::{{208D2C60-3AEA-1069-A2D7-08002B30309D}} à My Network Places
• shell:::{871C5380-42A0-1069-A2EA-08002B30309D} à Internet Explorer
Accessing file System from Browser
We can try to access the file system by just pasting the following in the web browser.
• %windir%
• %systemdrive%
• %systemroot%
• %temp%
• C:/windows/system32\
• C:\windows/system32/
• C:\windows/system32\
• C:/windows/system32/
Accessing File system using “file://” in FireFox Kiosk mode
Accessing File System in Microsoft Edge in KIOSK Mode
Using other protocols can give us access to unauthorized files in the KIOSK system. By using the following.
about:, data:, ftp:, file:, mailto:, news:, res:, telnet:, view-source:
Conclusion:
When we use the term “KIOSK,” we refer to any software running in a self-service, unattended environment, regardless of the technology used. Some of the basic security aspects of “hardening” your kiosk software is ensuring that your kiosk runs smoothly, and the customer’s information is safe from malicious users.
One malicious can destroy the kiosk experience for all your other customers by tampering with the operating system (OS) or simply by shutting down your kiosk software. Protecting the OS requires ensuring that your kiosk software is always running, and that the user cannot do anything but use your kiosk exactly as intended. There are many ways the user can tamper with the OS, including but not limited to pressing system hotkeys (i.e., ctrl-alt-del, alt-tab. etc……) or only shutting down your kiosk software.
References:
Escaping from KIOSKs – HackTricks
Kiosk-Hacking/KIOSK_Hacking.pdf at main · souravbaghz/Kiosk-Hacking · GitHub
