In order to meet business requirements and client demand for remote access, many companies choose to deploy applications using Terminal Services, Citrix, and kiosk platforms. These platforms are commonly deployed in both internal networks as well as internet facing environments. In my experience, such application deployments are rarely locked down enough to prevent an attacker from breaking out to the underlying operating system. As a result, these systems can often be used as an entry point into the network and have the potential to provide attackers with unauthorized access to systems, applications, and sensitive data. The goal of this blog is to provide a simple process for testing common breakout scenarios using manual techniques and free tool kits. This should be useful to penetration testers and system administrators alike.
iKAT – Interactive Kiosk Attack Tool v3
Based on my experience, Terminal Services and Citrix clipboards are left enabled to meet business requirement most of the time. That means that as an attacker you can simply copy and paste your tools to the remote server.
There's many ways to attack - including downloading & running binaries, exploiting unpatched browser vulnerabilities, running Java/Silverlight plugins (you can deliberately give them access to the filesystem), running Media Player, PDF browser etc. Browsing through iKat will give you an idea of what ways can already be used to attack a kiosk system.
My guts tell me that there is no software that can successfully defend against all these attacks when the user wants to elevate privileges (i.e. wants "to be hacked") and the underlying OS/applications are not up-to-date with all security patches applied (and they aren't in real world kiosk appliances).
2ff7e9595c
Comments