Title: Porteus Kiosk security restrictions bypass
Advisory reference: BLAZE-01-2017
Product: Porteus Kiosk
Disclosure mode: Coordinated disclosure
Porteus Kiosk is a popular lightweight Linux designed to be used as a kiosk solution. It implements several restrictions with the intent to prevent malicious users to modify the configuration of the Firefox browser and to escape the restricted browser environment and obtain access to the underlying operating system and filesystem.
In order to restrict access to the browser configuration facilities, Porteus Kiosk removed these menus from the browser interface. In addition, it implemented a blacklist filter to prevent the user from accessing protocols that can be abused to escape these restrictions, such as file:// and numerous chrome:// URIs.
During a security review of this kiosk solution it was found the blacklist was not enough to prevent the user to access configuration menus of the browser.
By typing any of these chrome URIs in Firefox:
A user of the kiosk can access its configurations, password manager, etc. For example, a malicious user can reconfigure the network preferences to point to an attacker-controlled proxy and launch other attacks from there, intercept traffic and other malicious actions.
Fix and recommendations
The vulnerability has been addressed by Porteus Kiosk in release 4.0.0. It is recommended to upgrade Porteus Kiosk to its latest version.
This vulnerability was discovered and researched by Julio Cesar Fort from Blaze Information Security (https://www.blazeinfosec.com)
24/05/2016: Initial contact asking for the vendor's PGP key
24/05/2016: Vendor responded, asking for details of the vulnerability to be sent via unencrypted e-mail
24/05/2016: Vulnerability details sent unencrypted
24/05/2016. Vendor informed the vulnerability has been fixed and a patch will be released in the next automatic update
28/05/2016: A fix was released
28/03/2017: Advisory released
Porteus Kiosk: http://porteus-kiosk.org
About Blaze Information Security
Blaze Information Security is a privately held, independent information security firm born from years of combined experience. With presence in South America and Europe, Blaze has a team of senior analysts with past experience in leading information security consulting companies around the world and a proven track record of published security research.
PGP key fingerprint: 9F8C 5552 C6A3 35F8 76E3 9A0C 09BD AA79 93E7 AE65