SSD Advisory – Porteus Kiosk

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Porteus Kiosk is a lightweight Linux operating system which has been restricted to allow only use of the web browser. Furthermore, the browser has been locked down to prevent users from tampering with settings or downloading and installing software. When the kiosk boots it automatically opens Firefox to your chosen home page. The history is not kept, no passwords are saved, and many menu items have been disabled for total security. When Firefox is restarted all caches are cleared and browser the reopens automatically with a clean session to ensure no trace of history is left.
Two vulnerabilities have been recently come into our attention and have been purchased from one of our security researchers, these vulnerabilities allow disclosure of local files and the ability to escape from the “jailed” browser.
The vulnerabilities have both been patched in the latest version, part of the 20150619, version.
The details mentioned below have not been released before though the description of the vulnerabilities found at Porteus Kiosk Changelog.
Vulnerability Details
The browser installed by default is a jailed Firefox that only allows you to zoom in, out, search and insert URL. There is not bars (menu, history, favorites, …) and you can’t use shortcuts (like ALT) so there is very limited usability.

The browser under Porteus Kiosk blocks some protocol/utilities from reading files, an includes a block of the file:// protocol handler.
The first bug is located, arbitrary file disclosure, because if you type view-source:file:///etc/passwd the content of the /etc/passwd file is returned which means that this block (of the file:// handler) is bypassed.
As mentioned the browser lacks any bars, which means you are bound to access only Internet sites, however using the following method you can escape from Firefox’s jail and get a fully functional Firefox, which is the second vulnerability a jailbreak.
The steps are:
1. Open new tab
2. Drag and Drop the new tab to the center of the screen.
Now you will get this tab opened in its own window.
3. Press ALT
The menu bar is now become visible
You are now free from the “jail”

Interested in Unauthenticated action vulnerabilities? You may be interested in these:

Looking to submit an Unauthenticated action vulnerability?

Talk to us!