Free web service cracks internet kiosks
At the Defcon hacker conference, which ended on Sunday, New Zealand security specialist Paul Craig released version 5 of iKAT (Interactive Kiosk Attack Tool). iKAT is a free web service that tries to bypass the protective mechanisms of internet kiosk PCs and gain control of the systems. Such computers can usually be found in hotel lobbies, airport lounges and other public spaces. Kiosk operators can use iKAT to test the resilience of their systems.
The Linux- or Windows-based kiosk systems are usually protected and only allow specific applications to be launched. The primary aim of iKAT is to start a Windows or Linux shell. To achieve it, iKAT tries to exploit known vulnerabilities in a number of different ways. For example, when opening the iKAT page from a Windows-based kiosk system, users are presented with a "1Click PWN" button – this launches components including Metasploit on the server to scan the kiosk PC for browser exploits. Other avenues include accessing "Open File" or "Print File" dialogs in order to execute cmd.exe.
iKAT can also reveal hidden windows to display the administrator or debug windows that are part of many kiosk systems. The hacking server also offers browser add-ons. It uses ActiveX, ClickOnce (.NET), Java, Silverlight and Flash, and new processes can be started via Java, ActiveX and ClickOnce. As most kiosk systems will only launch signed software, Craig has obtained a code-signing certificate and signed his components with it. The developer has asked the hacker community for contributions (http://ikat.ha.cked.net/Windows/donatenow.html) to cover certificate costs ($500).
Craig also used the certificate to sign his versions of the command shells. These shells are used if the corresponding files on the kiosk PC have been deleted. Because various internet kiosk software vendors now block iKAT's original URL, he has started using a wildcard: all subdomains of hack.ed.net are associated with iKAT. Interested IT security experts can also download iKAT ("iKAT Portable") and run it on their own servers.
A new addition is the iKAT PhotoKAT variant. It allows users to hack photo kiosks that run under Windows. While the SmartScreen filter of Internet Explorer 9 under Windows recognises iKAT and the site's .exe files as dangerous, the browser will ignore warnings because users are intentionally accessing iKAT.
(Uli Ries / sno)