Hacking public-information kiosks

Public-information kiosks are supposed to allow users to find out more about a company or government agency, and that's all. But on Saturday afternoon, Shanit Gupta, a senior consultant at McAfee Foundstone, demonstrated several ways that he and others have been able to map the internal network on a system running XenApp, formerly Citrix Presentation Server.

On the demonstration screen at ShmooCon, an East Coast computer hacking conference, Gupta showed how the familiar toolbars and browser frame are missing on a system running XenApp. The idea is that on a kiosk the public can click on links only within the single page. But if there's a keyboard or a mouse present, which there often are, Gupta was able to open additional sites, exposing the internal network.

Starting with Ctrl-H, he was able to pull up the browser's history. If the history revealed no outside search engines like Google, one could also type Ctrl-O and then type in Google there. If all else fails, one could also hit Ctrl-N and open a new tab, which will show the usual address bar and toolbar for navigation.

Opening a Web site not on the public tour could allow an attacker to download and install NMAP and run a port scan of the internal network. If the browser supports Javascript, one could also run a Javascript port scanner.

Typing Ctrl-P calls up the printer; however, Gupta pointed out that you can also save to file there and, while doing so, see the internal network.

No keyboard, no problem. Gupta says simply right click on any image and chose Save As ...

Gupta's demo concluded prematurely, hampered by an overall loss of Internet connection at the conference.

Citrix says on its site that when running XenApp, "built-in endpoint scans and policy controls take into account each user's role, device characteristics and network conditions to determine which applications and data they are authorized to access." However, Gupta said that the flaws were first called to his attention at a government agency. Using the standard Internet Explorer keyboard hot keys, Gupta and partner were able to see inside the agency's network.

[nelsonj3]

I have been doing this for years at work

This is no revelation. OfficeMax uses Windows on their cash registers and has a web interface for the back office programs. They don't show the browser until you hit ctrl-n then voila. There must be something more to his presentation than what was reported here. I would like to think that McAfee knew about ctrl-n a long time ago.

[n3td3v]

McAfee disclosing softcore vulnerabilities

They make more money from open holes than patched holes. There are tons of unpatched stuff security companies sit on for a rainy day because they make more business from delaying something. However, in this case it looks like this was a public relations stunt to get McAfee in news articles, to keep the brand name in circulation. Its an important thing to notice the researcher mentioned where he worked, he could of disclosed it as a private reseracher, but it seems to have been important for the company name to be mentioned and his job position, you've got to question motives when considering these factors.

[8DshR8rkt]

repeated information...

The information in this article has been well documented previously on the WEB. This is nothing new. Basically if an Admin is not savvy enough to harden the security on his/her XenApp server then they are going to get 'Knowledgeable' Security consultants trying to make a anme for themselves.

[MightyBook]

Definitions...

I'm afraid the author is unaware of the definition of the word 'hacking'. And as a result, that using windows commands such as Ctrl+N, Ctrl+H and Ctrl+P constitutes the same.

May I venture to guess that the author is a Mac user, unaccustomed to keyboard shortcuts?

[chash360]

probably not even that...

Mac users have enjoyed keyboard shortcuts longer than PC Users: Undo, Cut Copy, Paste, etc (Using the 'command' rather than 'Ctrl' with z,x,c,v, etc.) was in practice long before windows existed. Being a multiplatform user of many years, I will not hold your ignorance against you, but do understand that your statement is a blatant expression of an infantile superiority complex.

Evidenced by the fact that these functions on a Mac are provided by the Operating System directly, typically not requiring your application code to implement such functionality. Windows requires you define your own undo procedures, to respond to the Undo message, which can be incredibly complex. The Mac implmentation is much more efficient, usually requiring little effort on the programmer. Another useful feature Macs have, the revert command, which typically reloads from the saved version of a file. Do not decieve yourself, there are many things that Macs currently do that PC's still only dream about, especially in multi-media production and broadcasting.

I agree the author probably does not know anything about real hacking.

[chash360]

This is Not Hacking, which is even worse.

First, Ctrl or Command key sequences are typically not considered hacking, by any stretch of the imagination.

Second, what a joke security must be for these, even simple procedures, to puncture through security. I keep hearing about software vendors focusing on security but its all PR Crap. I have not seen one solid attempt at real designs for security since multics, abandoned by MIT decades ago. Without user AND process permission sets, its going to be a difficult road. With no competetion for M$ it will be impossible as they have no economic motivator to produce long lasting, secure, stable, reliable code. However would they sell their many upgrades, and keep so many H1B's so gainfully employeed in making patches and updates?

I am almost convinced we have completely lost all competence in really secure software architectures, I have not seen any for some time, and its not like its hard to improve current designs, they do not set the bar very high....

Is it just a repeated 'patch and release' attitude of software vendors? Or is it because corperate america decided that coders (as well as other IT workers) were lower class labor, to be commoditized and outsourced to cheap labor countries? Hmmmm... some of both?????