Whitehat in action discovers Kiosk Escape & Escalation via Windows PasswordAgent

In the last few days some Whitehat hackers of the Vulnerability Lab have come together for an action at the station wilhelmshöhe in kassel (Germany) to deal with a new security hole of the Deutsche Bahn ticket machines. While the station woke up quietly at 05:00 in the early morning without security personnel, the action took place. In the first step of this article, we want to focus on the vulnerability and then explain our approach as a group.

It is possible for local attackers to break out of the kiosk mode of the Deutsche Bahn vending machine application if the Password Agent (PasswordAgent.exe) of the system receives a timeout or has a runtime error in the program itself in the background. These errors can occur due to aborted sessions, unclean logout or common errors when using the application at system level.

Last month, security researcher and founder of the vulnerability lab Benjamin Kunz Mejri discovered a new Microsoft Skype vulnerability. The problem has a local and a remote attack vector that can be exploited. Surprisingly, the way the attack takes place is via the client infrastructure to an export function for an older version of Skype. Skype has a new export function for the skype v7.x contents and messages. Users are able to export the old logs to generate a html file inside the browser with the exported content of the main.db file in combination with the journal file. The content is rendered and generated in the local installed standard browser without much usage of physical capacity. <!DOCTYPE html> <html> <head> <title>Archived conversations</title> <meta charset="utf-8"> </head> <body> <div class="header">