HackingSecurity testing Surfpoint (Airport Internet Terminals)

3. August 2009

6 hours are definitely too much for just waiting at the airport (at the trip from Black Hat, waiting in Zurich for the connection flight to my beautiful Vienna). After 2 hours the internet terminal at Zurich Airport smiled at me and I decided to give it a try (a free security audit to them).

Surfpoint Terminal Owned 1 Surfpoint Terminal Owned 2 Surfpoint Terminal Owned 3

The owner of the HP Laster Jet 4100 Series PCL is happy about 100 1 copies, as shown in the second picture. The first picture shows “I just got owned!!! SF111″, a bit unclear because I moved the camera when snapshoting. How I owned these boxes:

1. Strg + Alt + Entf   (Ctrl + Alt + Del  for english keyboard layout)
2. "su" (for surfpoint)
3. Alt + T (for ending the task)
4. Enter (for pressing yes on the question box)

Surfpoint has a watchdog timer for bringing the surfpoint window always to the front and closing others, so be sure you are making these 4 steps quick (< 1 s)!
We have now closed the Surfpoint window and can enjoy our task manager. However, "Execute task" was disabled in registry so we cannot start for example cmd.exe.

5. Got to the ? -> Info via the menu - this displays the info about the "Windows Task-Manager"
6. Click on "Show EULA" (underlined link), this opens notepad.exe

We got now notepad.exe, this means we have an "explorer" window, the file open command in notepad. We can now also investigate the network and open any text-based config file.
There seems to be a second watchdog process that checks whether surfpoint is running or not. Be sure to kill any suspicious process.
Otherwise the terminal seems to be "reset" (rebooting via network) in a time-checking period of 10 minutes and you have to start from new.

So far passwords and stuff I have figured out using my notepad.exe “shell”

Secret Surfpoint Menu - Don't know the key but there is a "secret" combination!
Passwords for actions in the menu:
  Quit: quit
  Config: unique05zurich

D:\Programme\Surfpoint\  (executable path and configs)
D:\Programme\Surfpoint\Surfpoint.ini  (main settings of surfpoint, free website visits etc.)
D:\Programme\Surfpoint\Security\lock.reg  (all registry modifications for "securing" the station, e.g. right-mouse click prohibition)
D:\Programme\Surfpoint\Security\unlock.reg  (for reverting the registry modifications)

Remote mail server: mail.alixon.ch
Networks:

Surfpoint
- Sp11
- Sp13
- Sp19 (unique_ta_60er_glaswand_001)
- Sp23

MSHEIMNETZ
 - Sp14
 - Sp136
 - Sp140
 - Sp145
 - Sp221

It was found that the machine stores unasked pictures and videos using the webcam. There was a log file that was about 60 MB and logged any connections (in text format with date-time). This disclosure posting goes also to the company of Surfpoint so that they can secure their terminal software.

What can you do with the notepad shell?

I modified D:\Programme\Surfpoint\Surfpoint.ini to give me free internet access. Also I found out the flaw is that there are 5 programs excluded from being denied of executed. One of them is notepad.exe, another is regedit and the MSN messenger. There are many powerful settings in the configuration file, check it out.

Note: This issue was reported to SurfPoint AG on the same evening I published this article, and so far, there was no reponse.

¬ geschrieben von Peter Kleissner in Uncategorized

«

» 

5 Kommentare zu 'HackingSecurity testing Surfpoint (Airport Internet Terminals)'

  1. Daily Digs – 08.03.2009 « Security Stallions Blog sagte am 3. August 2009 um 11:51 pm Uhr:

    [...] links for the grab bag tonight are as follows… [Hacking Surfpoint Terminals] [DEFCON Air Traffic Control Hack] [High-Security Locks Defeated] [Opensourc3 Magazine Publishes [...]

  2. maxauthority sagte am 4. August 2009 um 12:15 pm Uhr:

    Nice :)

    Although printing 5 copies would probably have been enough to alert them, while saving some trees.

    Was explorer.exe blacklisted, so you had to go the notepad->?->Info way to access the file system?

    Note by Kleissner: You could not execute any other file (there is some registry entry for that) except the white-listed ones, surfpoint.exe was included. I assume the restriction is checked when using ShellExecute() and CreateProcess() functions in Windows. You cannot execute any other file there (Windows will pop up and tell you to contact the system administrator) and the other system files like cmd.exe or calc.exe were deleted in the Windows installation. I used notepad to have an “explorer Windows”, the open and save dialogs. So I could check out the file system, read text based files and could check out a bit the network. I used Task Manager -> ? -> Info -> EULA to get to my notepad.exe.

  3. Tom sagte am 9. August 2009 um 12:22 pm Uhr:

    Nice & well done ;-)

  4. Flo sagte am 22. August 2009 um 2:21 pm Uhr:

    Nicely done. Always delighted to see that these terminals aren’t secure.

    Have to say, if you do not block crtl+alt+del, your just plain stupid.

  5. Kati sagte am 17. June 2010 um 11:13 pm Uhr:

    ohne spaß :D du hast es drauf :)

Hinterlasse einen Kommentar

Theme von BenediktRB • Powered by Wordpress • Abonniere den RSS Feed