Public information kiosks are supposed to allow users to find out more about a company or government agency, and that's all. But on Saturday afternoon, Shanit Gupta, a senior consultant at McAfee Foundstone, demonstrated several ways that he and others have been able to map the internal network on a system running XenApp, formerly Citrix Presentation Server.
On the demonstration screen at ShmooCon, an East Coast computer hacking conference, Gupta showed how the familiar toolbars and browser frame are missing on a system running XenApp. The idea is that on a kiosk the public can click on links only within the single page. But if there's a keyboard or a mouse present, which there often are, Gupta was able to open additional sites, exposing the internal network.
Starting with Ctrl-H, he was able to pull up the browser's history. If the history revealed no outside search engines like Google, one could also type Ctrl-O and then type in Google there. If all else fails, one could also hit Ctrl-N and open a new tab, which will show the usual address bar and toolbar for navigation.
Opening a Web site not on the public tour could allow an attacker to download and install NMAP and run a port scan of the internal network. If the browser supports Javascript, one could also run a Javascript port scanner.
Typing Ctrl-P calls up the printer; however, Gupta pointed out that you can also save to file there and, while doing so, see the internal network.
No keyboard, no problem. Gupta says simply right click on any image and chose "Save As...".
Gupta's demo concluded prematurely, hampered by an overall loss of Internet connection at the conference.
Citrix says on its site that when running XenApp, "built-in endpoint scans and policy controls take into account each user's role, device characteristics and network conditions to determine which applications and data they are authorized to access". However, Gupta said that the flaws were first called to his attention at a government agency. Using the standard Internet Explorer keyboard hotkeys, Gupta and partner were able to see inside the agency's network.
This article was first published as a blog on CNET News.com.
Play video
There are currently no comments for this post.