Vulnerability Disclosure -Browser mode Kiosk Bypass @ Scalefusion

Status: Open (As on 03-Dec-2023)

CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H = 7.1 ( High Severity)

Multiple CVE-2023–50159, CVE-2023–51748, CVE-2023–51749, CVE-2023–51750, CVE-2023–51751

Impacted Component: ScaleFusion (Windows Desktop App) agent v10.5.2

Assumption: Enterprise wants to only allow running MS Edge in the system and block all other unwanted application/scripts execution in the system via Scalefusion kiosk solution.

Configuration: Windows agent based Kiosk mode configured to allow only launching of MS Edge in browser mode. Even prevent user from launching custom URL via blocked address bar. How to Set up Microsoft Edge Kiosk Mode? — Scalefusion.

Vulnerability Description: It was observed that despite configuring complete restriction for any unwanted application/script via Scalefusion windows agent based Browser KIOSK hardening, there were so many alternate methods via which Kiosk mode can be bypassed easily and allowing complete access to the system.

Impact:
Loss of data confidentiality/Integrity/Availability (Sensitive info. can be stolen, arbitrary code can be executed, users can be phished, important files can be erased, etc.). Defying sole concept of browser based kiosk mode.

Exploitability Rational:
User (attacker) can have any admin/non-admin privilege based on how kiosk was configured. Attacker needs to have system access, no specific user privilege required as KIOSK is auto login user. (Verified on Windows10, Applicable to all Win versions)

Steps to Reproduce:

Method1:

1. Key combination Ctrl+S or Ctrl+O brings Windows File picker dialog. Where in once can access all file partitions and via address bar execute commands as well.

Method2:

1. Via mouse/touch screen highlight any word, which brings tool tip to search that word via MS Edge. Click on that to open adjacent tab with new bing search
2. Search via keywords or direct URL which is to be opened and select from the results.
3. OR Click on Open link in new tab to view it in full screen

Method3:

1. Via bing search or above technique navigate to any host which allows file download.
2. Upon download automatically Windows file explorer (file picker dialog box)would appear for Save As option, which would allow unrestricted filesystem access
3. Left menu bar there would be multiple list items, from that Right click on ‘This PC’ > Open in new window. This will open a file fledged Window File explorer to give unrestricted access to the system

Method4:

1. While browser is open, Press Alt+F4 multiple times. This would kill the Edge browser, agent restarting it and give Windows access.
2. Press Win key to view start menu. There by open any desired application. (In case if Edge restarts, Alt+Tab you can switch back to previously launched application again)

Take Away:

We should be always ready for various tricks due to client side security controls. (there is no silver bullet to solve such issues)

To make things a little difficult, adapt whitelisting approach over blacklisting approach.

Make use of rules based on digital signature + location + filehash