Vulnerabilities of public terminals: how to hack a bike rental and a polyclinic
This year, Moscow was swept up by a real bicycle fever. The number of bicycle rental stations was increased from 79 to 150, and 90,000 people used the rental services. While two-wheeled friends are relaxing during the winter holidays, we’ll tell you about the vulnerabilities of the terminals for paying for the rental of bicycles, which jeopardized the security of personal data and electronic wallets of users, and also made us think about the new paradigm of attacks on corporate networks.
Payment and information terminals today operate on the streets, in shopping centers, at airports, in clinics, in the subway. Most of these devices are based on Windows, in the so-called kiosk mode, which allows you to run one main full-screen application on your computer, specified by the administrator. The functionality of the terminal is significantly expanded if you exit the kiosk mode into the operating system.
')
The application sometimes “crashes” on its own due to errors in the program and memory leaks, but there are also ways to minimize it. The most ancient way is to perform a long press on the terminal screen until the context menu appears, which emulates a right mouse click. Further penetration scenario depends on the browser. For example, you can get into the control panel from the context menu of Google Chrome using the "Save As" command and the help section icon.
In some cases, an effective attack vector was a simple palpation of the screen in the lower left corner, allowing you to get to the taskbar and the Start menu, or simultaneously pressing several areas of the screen to minimize the main application.
To date, some of these loopholes are closed. But not all! Let's look at the situation from the perspective of a programmer. What can he lose sight of?
The developer will definitely test the interactive parts of his full-screen application and validate the user-entered data so that the user does not have the opportunity to click on something and "fall through" inside the operating system. But applications have become more complex, they use different technologies, including third-party code or widgets from other companies.
The application in the terminal of the bicycle parking is beautifully designed, the input of characters has been tested ... But there was one bad "but" in it. In addition to the user registration form, the interface contains a reference section with a map. It has a lot of useful information: where is this terminal and other bicycle parkings, how to get to the nearest cafes, cinemas and other "points of interest". The map is based on the standard Google widget. There was a mistake.
If you take a closer look, you can see the "Report a Problem", "Privacy" and "Terms of Use" links in the bottom right of the widget. Click on any of them - and the standard Internet Explorer window appears.
The browser window could be opened in a different way: by clicking the "Details" button when choosing the location of certain objects.
Half done.
The help section in Internet Explorer allows access to all elements and system programs of the OS. A bit of street magic, and we find ourselves in the "Center for special features" control panel, from where we start the on-screen keyboard.
You can directly get to the keyboard: go to the "Explorer" by sequentially selecting the properties of the Internet Explorer browser — the General tab, the Options, View Objects buttons — and clicking the Osk.exe application in the C: \ Windows \ System32 folder.
Armed with a virtual keyboard, type cmd.exe and run the command line, where with the help of the WHOAMI command we check the status in the system. We had administrative rights, so you can wear crimson pants and manage.
A full internet connection in the terminal was available, despite the strict recommendations on limiting access to the external network for such devices. The intruder could go to the same exploit-db, download malicious applications to the hard disk of the device and run them, and also extract the administrator password using known password-cracking programs (mimikatz, WCE, Fgdump, pwdump). It is worth adding that different bicycle parks are likely to have the same administrator passwords.
What else could a cyber cracker do? Replace files in the system directory, elevate privileges, dump user data. The overt flaws in the configuration left the intruder with space for quite dizzying maneuvers. Designing a botnet based on captured terminals, a mining pool, a cozy banner network with its own ad ... In addition to the usual interception of the entered personal data using a keylogger, an attacker could send the parking application to himself over the network, make changes to it (for example, add a field with the requirement to specify three-digit code CVV / CVV2) and set back. Users are unlikely to, s immediately suspect something, only a bike ride would have cost them dearly ...
In addition to the friendly cartography, many terminals print checks, tickets, and this can also be used to penetrate the system. For example, in one of the organizations, when a ticket is issued for an electronic queue, a Windows interface with a print window appears for a moment. Under certain conditions, it will not be difficult to click on the choice of printer, and then exit to the control panel.
A similar window may appear if the embedded printer has run out of paper, the ink has dried in the cartridge, or the terminal itself solves the Fermat theorem and therefore works very slowly.
Over the past year, the author of this article and his colleagues have faced the unsafe work of e-government infomats, info kiosks at one of Russian airports, aircraft entertainment systems , remote SCADA terminals, and also launched Angry Birds on an ATM. Recently, Russian clinics are actively being equipped with terminals where anyone can make an appointment with a doctor. Without due attention to the security of the terminals, we run the risk of witnessing massive leaks of information that already constitutes medical confidentiality.
And it still flowers! A distinctive feature of public terminals is that they are often connected to the same internal network and are trusted by the central server. At the same time, the terminal administrator may have access to the internal resources of the parent company with important confidential data. Do the hacker need to break through firewalls and attack prevention systems if you can find an information kiosk on a quiet street, which has vulnerabilities the size of a hippo and direct access to the main office server?
Imagine a modern high-tech airline, information kiosks of which are located at various airports. Having obtained full access to the terminal and hacked the server responsible for such devices (no patch, vulnerability in the data exchange protocol), the attacker will check if the server has a second interface connected to the airline's internal network and there are ways to get into it. There are several ways to conduct corporate secrets — VPN access, terminal server and internal network administrator passwords, web mail application vulnerabilities for sending statistics or error reports.
The main trouble of public terminals with touch screens is to minimize the main application and the intruder hits the Windows interface. Developers need to block pop-up menus with a long press on the screen (as when pressing the right mouse button) and exclude the call to the print window, from where you can get into the Windows control panel. We also recommend using embedded OS assemblies, which are devoid of a number of security flaws in standard versions - in particular, do not use the desktop (but still, they don’t protect against opening the same IE).
The mandatory minimum of events includes checking all links of the full-screen application and third-party widgets. If, when navigating to a web address, a new browser window opens, you should disable this feature by editing the widget code and removing the links. The main terminal application should always be on top of all Windows windows: various utilities can help with this (for example, Window On Top).
From other wishes: unique passwords on different terminals, ordinary user privileges for the standard mode of the device and a limited list of addresses when accessing the external network.
PS Incorrect configuration settings were professionally and promptly eliminated by developers, and the payment terminals of the Moscow city bike rental, according to representatives of the Moscow mayor's office, continue their work in the winter.
PPS Thanks to Denis Makrushin for his help in conducting the study.
Author: Stanislav Merzlyakov
Payment and information terminals today operate on the streets, in shopping centers, at airports, in clinics, in the subway. Most of these devices are based on Windows, in the so-called kiosk mode, which allows you to run one main full-screen application on your computer, specified by the administrator. The functionality of the terminal is significantly expanded if you exit the kiosk mode into the operating system.
')
The application sometimes “crashes” on its own due to errors in the program and memory leaks, but there are also ways to minimize it. The most ancient way is to perform a long press on the terminal screen until the context menu appears, which emulates a right mouse click. Further penetration scenario depends on the browser. For example, you can get into the control panel from the context menu of Google Chrome using the "Save As" command and the help section icon.
In some cases, an effective attack vector was a simple palpation of the screen in the lower left corner, allowing you to get to the taskbar and the Start menu, or simultaneously pressing several areas of the screen to minimize the main application.
To date, some of these loopholes are closed. But not all! Let's look at the situation from the perspective of a programmer. What can he lose sight of?
The developer will definitely test the interactive parts of his full-screen application and validate the user-entered data so that the user does not have the opportunity to click on something and "fall through" inside the operating system. But applications have become more complex, they use different technologies, including third-party code or widgets from other companies.
Attack on the bike rental
The application in the terminal of the bicycle parking is beautifully designed, the input of characters has been tested ... But there was one bad "but" in it. In addition to the user registration form, the interface contains a reference section with a map. It has a lot of useful information: where is this terminal and other bicycle parkings, how to get to the nearest cafes, cinemas and other "points of interest". The map is based on the standard Google widget. There was a mistake.
If you take a closer look, you can see the "Report a Problem", "Privacy" and "Terms of Use" links in the bottom right of the widget. Click on any of them - and the standard Internet Explorer window appears.
The browser window could be opened in a different way: by clicking the "Details" button when choosing the location of certain objects.
Half done.
The help section in Internet Explorer allows access to all elements and system programs of the OS. A bit of street magic, and we find ourselves in the "Center for special features" control panel, from where we start the on-screen keyboard.
You can directly get to the keyboard: go to the "Explorer" by sequentially selecting the properties of the Internet Explorer browser — the General tab, the Options, View Objects buttons — and clicking the Osk.exe application in the C: \ Windows \ System32 folder.
Armed with a virtual keyboard, type cmd.exe and run the command line, where with the help of the WHOAMI command we check the status in the system. We had administrative rights, so you can wear crimson pants and manage.
Operating scenarios
A full internet connection in the terminal was available, despite the strict recommendations on limiting access to the external network for such devices. The intruder could go to the same exploit-db, download malicious applications to the hard disk of the device and run them, and also extract the administrator password using known password-cracking programs (mimikatz, WCE, Fgdump, pwdump). It is worth adding that different bicycle parks are likely to have the same administrator passwords.
What else could a cyber cracker do? Replace files in the system directory, elevate privileges, dump user data. The overt flaws in the configuration left the intruder with space for quite dizzying maneuvers. Designing a botnet based on captured terminals, a mining pool, a cozy banner network with its own ad ... In addition to the usual interception of the entered personal data using a keylogger, an attacker could send the parking application to himself over the network, make changes to it (for example, add a field with the requirement to specify three-digit code CVV / CVV2) and set back. Users are unlikely to, s immediately suspect something, only a bike ride would have cost them dearly ...
Insidious window print
In addition to the friendly cartography, many terminals print checks, tickets, and this can also be used to penetrate the system. For example, in one of the organizations, when a ticket is issued for an electronic queue, a Windows interface with a print window appears for a moment. Under certain conditions, it will not be difficult to click on the choice of printer, and then exit to the control panel.
A similar window may appear if the embedded printer has run out of paper, the ink has dried in the cartridge, or the terminal itself solves the Fermat theorem and therefore works very slowly.
And if you dig deeper
Over the past year, the author of this article and his colleagues have faced the unsafe work of e-government infomats, info kiosks at one of Russian airports, aircraft entertainment systems , remote SCADA terminals, and also launched Angry Birds on an ATM. Recently, Russian clinics are actively being equipped with terminals where anyone can make an appointment with a doctor. Without due attention to the security of the terminals, we run the risk of witnessing massive leaks of information that already constitutes medical confidentiality.
And it still flowers! A distinctive feature of public terminals is that they are often connected to the same internal network and are trusted by the central server. At the same time, the terminal administrator may have access to the internal resources of the parent company with important confidential data. Do the hacker need to break through firewalls and attack prevention systems if you can find an information kiosk on a quiet street, which has vulnerabilities the size of a hippo and direct access to the main office server?
Imagine a modern high-tech airline, information kiosks of which are located at various airports. Having obtained full access to the terminal and hacked the server responsible for such devices (no patch, vulnerability in the data exchange protocol), the attacker will check if the server has a second interface connected to the airline's internal network and there are ways to get into it. There are several ways to conduct corporate secrets — VPN access, terminal server and internal network administrator passwords, web mail application vulnerabilities for sending statistics or error reports.
What to do
The main trouble of public terminals with touch screens is to minimize the main application and the intruder hits the Windows interface. Developers need to block pop-up menus with a long press on the screen (as when pressing the right mouse button) and exclude the call to the print window, from where you can get into the Windows control panel. We also recommend using embedded OS assemblies, which are devoid of a number of security flaws in standard versions - in particular, do not use the desktop (but still, they don’t protect against opening the same IE).
The mandatory minimum of events includes checking all links of the full-screen application and third-party widgets. If, when navigating to a web address, a new browser window opens, you should disable this feature by editing the widget code and removing the links. The main terminal application should always be on top of all Windows windows: various utilities can help with this (for example, Window On Top).
From other wishes: unique passwords on different terminals, ordinary user privileges for the standard mode of the device and a limited list of addresses when accessing the external network.
PS Incorrect configuration settings were professionally and promptly eliminated by developers, and the payment terminals of the Moscow city bike rental, according to representatives of the Moscow mayor's office, continue their work in the winter.
PPS Thanks to Denis Makrushin for his help in conducting the study.
Author: Stanislav Merzlyakov
Source: https://habr.com/ru/post/246449/
All Articles