Airport Kiosks Security

Sat, 24 Nov 2007 22:05:39 GMT
by pdp

I had to change at Dublin from London for San Francisco and then San Jose when I was going for the OWASP USA event. My flight was early in the morning so I needed to give myself a slack of a couple of hours so that I feel safe that I wont miss the joy of the long and rather exhausting flight. So, having about 3 hours to waste, I decided to go around and see if there is anything interesting to do inside the terminal. Keep in mind that it was like 4am GMT.

The only thing that worked at that time of the day were the vending machines and the kiosks. I grabbed a bottle of Sprite (free ad here) and started exploring some of the kiosk. I was not looking for security bugs or anything like that. I simply wanted to find something that would allow me to kill a couple of hours. "Games would be perfect! Unfortunately, my profession always hunts me down. As soon as I get to some kind of device, I cannot do anything else but to explore, explore, explore."

I had done tones of Kiosk hacking in the past (all legally of course) so I had a very good idea how these systems work. However, I did not have any permissions to perform any security tests whatsoever on these boxes so the only thing I could legally do is to click on buttons. So this is all I did. Sometimes, clicking on buttons is sufficient enough to get onto some interesting stuff. So, this is what I've found:

  1. I started exploring some of the free services loaded around the chrome of the Kioask. One of them took me to a PHP script placed inside a directory named "kioskscripts". I simply uped one level in the directory structure and stumbled inside a folder which have some interesting files. This is where I stopped!
  2. Curiosity is a virtue. Again, I started exploring some of the free services and ups... what do you know... here is the admin interface. This is where I stopped!
  3. How many people will click on the home button? Apparently not that many. Well, I did! The home button took me to an ASP error page and guess what? Debugging mode is enabled? "No way! Get out of here!"
  4. Yes, debugs are turned on and that gives us all the sources. This is where I stopped!

Again, all of these is based on exploration and simple observation without doing anything funky. I've got some pictures as well which I cannot share for obvious reasons. I wonder what will happen if someone tries to push the limits of these boxes.

Archived Comments

SamSam
Interesting stuff. Reminds me of the time I saw the BoSoD on an ATM and the Windows XP desktop on a scan yourself checkout.
naomnaom
3 minutes killed out of 3 hours. Not bad.
DanielDaniel
Don't forget, under UK law you would have been persecuted for doing what you did. The issue isn't you just pressing buttons, but the fact you never had permission to make that computer perform that function, which is the crux of section 1a of the computer misuse act. Good to see kiosk security is still as crap as ever though :)
pdppdp
Daniel, this section of the UK law should get a lot more specific. Otherwise, the bad guys can use it for their own good. First of all how do we know that this is not the intendet feature when the only input device that was used was the m-pointer. In USA for example, if u r hiding drugs in your car and u get caught when being searched by a cop who did not had any reason to, then you can get away and attack back the legal system. Same with IT. The law is vague but often based on case studies, which are even more vague. In IT sec we are constantly playing with fire even when all the work we do is legal. I can get into a lot more details but I will stop here.
cybergothcybergoth
Some sitekiosks are connected to company's lan, few times I have successfully found intranet sites using your javascript port scanner.
nn
Nice, how did you use the debug functionality to get the source code listing?
swssws
oh no... so great ;) funny article...
Adrian PastorAdrian Pastor
@n - just click on "Show Complete Compilation Source" on the .NET error page (see screenshot).
cybergothcybergoth
n, try some asp tricks like | and ~ , example: login|.aspx