Security advisory: Porteus Kiosk security restrictions bypass

Advisory information

Title: Porteus Kiosk security restrictions bypass
Advisory reference: BLAZE-01-2017
Product: Porteus Kiosk
Disclosure mode: Coordinated disclosure

Product description

Porteus Kiosk is a popular lightweight Linux designed to be used as a kiosk solution. It implements several restrictions with the intent to prevent malicious users to modify the configuration of the Firefox browser and to escape the restricted browser environment and obtain access to the underlying operating system and filesystem.

Vulnerability details

In order to restrict access to the browser configuration facilities, Porteus Kiosk removed these menus from the browser interface. In addition, it implemented a blacklist filter to prevent the user from accessing protocols that can be abused to escape these restrictions, such as file:// and numerous chrome:// URIs.

During a security review of this kiosk solution it was found the blacklist was not enough to prevent the user to access configuration menus of the browser.

By typing any of these chrome URIs in Firefox:

chrome://global/content/config.xul
chrome://browser/content/openLocation.xul
chrome://global/content/filepicker.xul
chrome://mozapps/content/plugins/pluginInstallerWizard.xul
chrome://passwordmgr/content/passwordManager.xul
chrome://browser/content/preferences/preferences.xul
chrome://browser/content/preferences/advanced.xul
chrome://browser/content/preferences/applications.xul
chrome://browser/content/preferences/connection.xul
chrome://browser/content/preferences/permissions.xul
chrome://browser/content/preferences/sanitize.xul
chrome://browser/content/preferences/security.xul
chrome://mozapps/content/downloads/downloads.xul
chrome://browser/content/safeMode.xul

A user of the kiosk can access its configurations, password manager, etc. For example, a malicious user can reconfigure the network preferences to point to an attacker-controlled proxy and launch other attacks from there, intercept traffic and other malicious actions.

Fix and recommendations

The vulnerability has been addressed by Porteus Kiosk in release 4.0.0. It is recommended to upgrade Porteus Kiosk to its latest version.

Credits

This vulnerability was discovered and researched by Julio Cesar Fort from Blaze Information Security (https://www.blazeinfosec.com)

Disclosure timeline

24/05/2016: Initial contact asking for the vendor’s PGP key
24/05/2016: Vendor responded, asking for details of the vulnerability to be sent via unencrypted e-mail
24/05/2016: Vulnerability details sent unencrypted
24/05/2016. Vendor informed the vulnerability has been fixed and a patch will be released in the next automatic update
28/05/2016: A fix was released
28/03/2017: Advisory released

References

Porteus Kiosk: http://porteus-kiosk.org

About Blaze Information Security

Blaze Information Security is a privately held, independent information security firm born from years of combined experience. With presence in South America and Europe, Blaze has a team of senior analysts with past experience in leading information security consulting companies around the world and a proven track record of published security research.

E-Mail: [email protected]
Wildfire Labs blog: https://www.blazeinfosec.com/labs/
Twitter: https://www.twitter.com/blazeinfosec
Github: https://www.github.com/blazeinfosec

PGP key fingerprint: 9F8C 5552 C6A3 35F8 76E3 9A0C 09BD AA79 93E7 AE65