Vulnerability Disclosure -Kiosk Hardening Bypass @ Microsoft Kiosk Mode

Status: Open (As on Dec-2023)

CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H = 7.1 ( High Severity)

Impacted Component: Microsoft Kiosk mode (Windows OS config/Intune based deployment)

Assumption: As per the agenda of KIOSK mode, it should restrict access to undesired features. However, it was possible to access such features which will allow internal system access.

Configuration: From Settings app Set up a KIOSK > Get Started > Create Account > Choose KIOSK App as MS Edge (or any desired app) > As a digital sign or interactive display > Enter any URL & 5min time. Done now sign in to KIOSK user & notice address bar is masked and browser has limited features. Ref Link1 & Link2

Vulnerability Description: It was observed that despite configuring restriction for any unwanted application/script via Windows based KIOSK hardening, there were so many alternate methods via which Kiosk mode can be bypassed easily and allowing access to the system or use unrestricted browser.

Impact:
Loss of data confidentiality/Integrity/Availability (Sensitive info. can be stolen, arbitrary code can be executed, users can be phished, important files can be erased, etc.). Defying sole concept of kiosk mode.

Exploitability Rational:
Conventionally for users group most files will have read permission, Kiosk user would be created by Windows as part of ‘Users’ group allowing most items read access. Attacker needs physical access, but kiosk machines are used under almost zero supervision which makes this attack easy & practical. Due to the possibility of entering a custom URL, the attacker can leave a phishing page for the next user. (Verified on Win 11, Win 10 Pro, Applicable to all Win versions)

Steps to Reproduce:

Method1:

1. While the default web page is loaded, press Ctrl+O. This opens file explorer (file picker dialog box). (Assuming system is connected to the internet)

2. From top right side (below search textbox), click the help button icon. This will launch a new browser instance without restrictions.

Method2:

1. While the default web page is loaded, select any word with mouse cursor and notice the tooltip prompt asking to search via MS Edge context menu.

2. Notice a new applet on right opens with default search engine. This allows opening any kind of URL without need of URL address bar.

3. Click on pop out icon near the address bar, it opens full screen window with the URL of user’s choice.

Method3:

1. While the default web page is loaded, select any word with mouse cursor and notice the tooltip prompt asking to search (similar to method 2).

2. Notice a new applet on right opens with default search engine. Now within the address bar 3 dots menu icon appears click on that to see new context menu with option Send feedback.

3. Clicking on send feedback opens up new applet window, scrolling down till Microsoft Privacy Statement hyperlink. This opens a new window without restrictions and completely accessible address bar.

Post Exploitation:

1. file:///c:/filelocation would display all internal files from that system readable to that user (& such kiosk user is part of ‘Users’ group)

2. Open any unwanted/unexpected web application to phish the next user.

3. From the browser address bar website HTTPS padlock, view certificate & save untrusted certificate, then navigate to Cert. manager and install that untrusted certificate.

4. Navigate to edge://settings and search for certificate store. From here if any private keys are exportable, one can steal those as well

5. If downloads is blocked, via browser console & source tab save file as can be used and later on from file explorer extension can be changed

6. edge://edge-urls one can enable all risk and security bypassing flags eventually making surfing risky for next users

7. From Diagnostic data, so many internal information can be harvested.

Take Away:

We should be always ready for various tricks due to client side security controls. (there is no silver bullet to solve such issues)

Kiosk user should be part of guest or separate user group with very less rights

Access to items like the Cert store should be blocked

Edge new instance should not be allowed to be created in any circumstances. Undesired URI schema like file:// , edge:// should be blocked. Shortcuts also can be blocked to launch such things.

P.S.: As response from MS, they couldn’t fix this as it’s responsibility outside their scope. It should be defense in depth and enterprise would have to deploy policies to enforce lockdown.