Follow us on Twitter!
Things are more like they are now than they have ever been before. - Dwight D. Eisenhower
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 30
Guests Online: 23
Members Online: 7

Registered Members: 82895
Newest Member: kevy90
Latest Articles

Uniguest bypass

Arrow Image Exploiting the Uniguest kiosk system



I donít know how often Iíve gone to a motel and saw that accursed 9.95$ for one night of internet and found myself thinking screw that crap. Well after some touring a majority of people in the same situation as me stumbled across the business center and saw free access computers with internet. You immediately check out the system (assuming you remembered that danged room key) and look at the computer wondering what the heck type of system itís running.

The two most common systems Iíve seen on my travels are the iBahn and Uniguest systems, both are based off of Windows XP and IE 6 from analysis. The one I will deal with in this paper is the Uniguest system.

As a common teenager I felt a compulsive desire to look at my Facebook but much to my annoyance the site was blocked from the login afterwards, but I really have to wonder about the competence of the Uniguest developers after what I found. After attempting to login to facebook it immediately blanked the page and halted loading, so I typed in facebook.com to the address bar and bingo, I was in, easy as that. Itís a miracle I didnít attract security with the compulsive laughing that followed as simply exiting the popups allowed me to browse freely. It was at this point I wondered what exactly was possible with the system.

I put in a jump drive in attempts to access a few files I had that I needed to finish up for a class to find that the jump drive was inaccessible and conveniently missing from the file browser. Being that the system is seemingly based entirely off of IE 6 I used the browser to open the file, strangely it worked. I got curious again, though attempts to relocate to the C drive were unsuccessful at best, they at least covered that much.

It also seems that executable files are completely blocked on the system, which I canít say surprised me. The only openable files are the ones that the system had ďprogramsĒ for.


For whatever reason I hit the escape key while browsing to try and exit a window and found something of extreme interest: Unlock System. You can imagine what could happen from here but alas time was not in my favor on this one.

Past this I didnít have any time left to experiment but I do have theories as to further exploitations that may be available to use. If anyone tries these I am not responsible for what may happen.

Theory 1: System is completely based off of iFrame or related media inside IE6. Crashing IE6 may generate hole.

Theory 2: Most file navigation is blocked, though some files are still available, possibility that filter is selective rather than all-inclusive, possible hole.

Theory 3: Possibility that not all extensions are blocked, seeing as IE6 is vulnerable to multiple exploitations already as well as WinXP it is plausible that ActiveX or other common holes can be used to install programs and bypass kiosk software.

Theory 4: If theory 3 holds true installation of basic keylogger or other viral program may be possible allowing complete manipulation of system. Also could allow installation of FireFox or other browser which would likely be unrestricted.

Theory 5: Aurora may be usable if willing to pay for Internet access or T3 holds true and shell exploitation software is installed.

Have fun and remember Iím not responsible for anything that may happen as a result of using anything in this tutorial.

Comments

TheMonitoron April 15 2010 - 01:55:13
<quote>Itís a miracle I didnít attract security with the compulsive laughing that followed</quote> made my day hahaha
korgon April 15 2010 - 07:47:55
Not actually informative, lack of good content IMO.
chmbrz10on April 15 2010 - 20:57:04
What was supposed to be the point of this post? All you succeeded in doing was accessing Facebook. Doesn't seem like much of an accomplishment. You could've done that with a proxy site. Sure IE6 is vulnerable, but I doubt that they are only using IE6 to protect the machine. It's probably wrapped in the shell of another program which makes it much harder to circumvent. Here's the information you presented to us: 1) You got to Facebook when apparently it blocked you at first 2) Nothing else As far as your theories are concerned, you've not given us much to think about. As I said earlier, if you wen't able to ctrl+alt+del out of the program, then it's not simply IE6 by itself. File navigation is most likely a whitelist and not a blacklist. Can't circumvent that. You're also overlooking a huge thing here: this system is probably being run in a user account. Even if you succeeded in getting out of the program and back to the login screen, you still don't know an administrator user/pass. Bottom line - you didn't figure anything out.
ellipsison June 22 2010 - 14:14:28
I would have checked hot keys first. Can you use file:///C:/ to access the computer's hard disk? I remember seeing multiple machines like that during my stay in Nevada at a BPA Nationals competition. The ones in my hotel required that you either swipe a card given by an issuer or put in a $1 bill per 1 minute . I'm sure if you had more time with the subject, you could have written a much better article. Et cetera.
stdioon November 27 2010 - 00:27:54
Why didnt you at least put the default password (thats almost never changed in my experience) in the article. tv4shawn
idlecometon June 01 2011 - 23:42:38
I thought it was a very nice article :-D But I hate facebook. And people. And places. And things.
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.