Vulnerability Disclosure -Kiosk Mode Bypass @ Scalefusion
Status: Open (As on 03-Dec-2023)
CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H = 7.1 ( High Severity)
Multiple CVE-2023–50159, CVE-2023–51748, CVE-2023–51749, CVE-2023–51750, CVE-2023–51751
Impacted Component: ScaleFusion (Windows Desktop App) agent v10.5.2
Assumption: Enterprise wants to block unwanted application/scripts execution in the system and has implemented ScaleFusion kiosk solution to allow only their desired application and nothing else.
Configuration: Windows agent based Kiosk mode configured to allow only launching of MS Edge (or any other app.). Taskbar visible, task manager blocked, Applocker rules not used and all experimental features not used.
Vulnerability Description: It was observed that despite configuring complete restriction for any unwanted application/script via Scalefusion windows agent based KIOSK hardening, there were so many alternate methods via which Kiosk mode can be bypassed easily and allowing complete access to the system.
Impact:
Loss of data confidentiality/Integrity/Availability (Sensitive info. can be stolen, arbitrary code can be executed, users can be phished, important files can be erased, etc.). Defying sole concept of kiosk mode.
Exploitability Rational:
User (attacker) can have any admin/non-admin privilege based on how kiosk was configured. Attacker needs to have system access, no specific user privilege required as KIOSK is auto login user. (Verified on Windows10, Applicable to all Win versions)
Steps to Reproduce:
Method1:
1. Right click on Sounds within Taskbar & select sounds from right click context menu
2. Navigate to Playback tab > Select speakers > click on properties button.
3. Speakers property applet opens as new window > General tab > Controller Information > click Properties
4. HD Audio Device Property applet opens > Go to Events tab > click on view all events & wait for MMC snap-in to load.
5. Event viewer opens up.
6. Tamper events or attach task.
Method2:
1. Right click on Sounds within Taskbar & select sounds from right click context menu
2. Navigate to Playback tab > Select speakers > click on properties button.
3. Speakers property applet opens as new window > General tab > Click on Change icon button
4. Change icon applet opens > click Browse button to get file picker dialog.
5. Navigate within filesystem without any restrictions.
Method3:
1. Right click on Battery within Taskbar & select Windows Mobility Center from right click context menu
2. From the newly opened applet click on Display brightness icon > This opens control panel Power Options. There by click on control panel home to get complete features
Method4:
1. Right click on WiFi/LAN icon within Taskbar & select Troubleshoot Problems from right click context menu
2. Then select I’m having a different problem > Connect to your workplace using directaccess > Next > Next . (You might need to try this step a couple of times as it varies per system/env. Main thing is to get ‘view detailed information’ hyperlink & click on it)
3. click on top right Print icon. From newly opened apple of print, click on Find printer button
4. This opens file picker, from that address bar control panel can be opened or files can be viewed, etc.
Method5:
1. Right click on WiFi/LAN icon within Taskbar & select Troubleshoot Problems from right click context menu
2. Then select I’m having a different problem > Connect to your workplace using direct access > Next > Next . (You might need to try this step a couple of times as it varies per system/env. Main thing is to get ‘view detailed information’ hyperlink & click on it)
3. Scroll down to locate collection information (expand necessary fields like Detection details). Locate Networkconfiguration.cab hyperlink & click on it
4. This will open IE and close it. But in background it opens File explorer
Method6:
1. Right click on WiFi/LAN icon within Taskbar & select Troubleshoot Problems from right click context menu
2. Then select I’m having a different problem > Connect to your workplace using directaccess > Next > Next . (You might need to try this step a couple of times as it varies per system/env. Main thing is to get ‘view detailed information’ hyperlink & click on it)
3. click on top right Print icon. From newly opened apple of print, right click on default selected Microsoft Print to PDF option > Click properties which will open new applet
4. Open Color Management Tab > this opens a new applet. click on Add button which again opens a new applet. Click on Browse button to open Windows File picker dialog box to view unrestricted access of filesystem.
Method7:
1. Right click on Battery within Taskbar & select Power Options from right click context menu
2. The newly opened applet is control panel Power Options. There by open lusrmgr.msc from the address bar for user management.
Method8:
1. Right click on Battery within Taskbar & select Power Options from right click context menu
2. The newly opened applet is control panel Power Options. There by open write from the address bar for wordpad (write.exe is binary for wordpad).
3. Type any command what is to be executed and select Save As option. Choose location for e.g. documents folder and name the file “script.bat” (Double quotes are essential to bypass type selection from the drop down for wordpad). Upon Saving the file if prompt asking save in other format comes, click Yes.
4. Once again from address bar start typing path where above file was saved. Notice that automatically you will get suggestion of internal file/folders. e.g. C:\Users\kiosk1\Documents\script.bat . And press enter to execute the batch file.
5. Notice whatever you had written in that batch file got executed. (To verify make some file/folder creation operation and verify via checking it in filesystem)
Method9:
1. Right click on Battery within Taskbar & select Power Options from right click context menu
2. The newly opened applet is control panel Power Options. There by open write from the address bar for wordpad (write.exe is binary for wordpad).
3. Type copy C:\windows\system32\cmd.exe C:\users\kiosk1\documents\duplicatecmd.exe . select Save As option. Choose location for e.g. documents folder and name the file “script.bat” (Double quotes are essential to bypass type selection from the drop down for wordpad). Upon Saving the file if prompt asking save in other format comes, click Yes.
4. Once again from the address bar start typing the path where the above file was saved. Notice that automatically you will get suggestions of internal file/folders. e.g. C:\Users\kiosk1\Documents\script.bat . And press enter to execute the batch file.
5. Notice duplicatecmd.exe got copied in documents folder.
6. Once again from the address bar start typing the path where we tried to copy command prompt file i.e. C:\Users\kiosk1\Documents\duplicatecmd.exe and press enter. Notice that command prompt works without any interruption.
Method10:
- Key combination Ctrl+S or Ctrl+O brings Windows File picker dialog. Where in once can access all file partitions and via address bar execute commands as well.
Take Away:
We should be always ready for various tricks due to client side security controls. (there is no silver bullet to solve such issues)
To make things a little difficult, adapt whitelisting approach over blacklisting approach.
Make use of rules based on digital signature + location + filehash