Simpliciti Locked Browser Jail Breakout Vulnerability ESRL Discovery Date: March 20, 2006 Discovery By: Adam Baldwin (adam_baldwin (at) evilpacket (dot) net [email concealed]) Versions Effected: All versions Background: Simpliciti Locked Browser is a product that provides "no-programming required PC lockdown..." functionality for common-access PCs or kiosks. "You can quickly create a limited or restricted Internet usage environment for users in places such as retail kiosks, libraries, self-serve banks, hospitals, and clinics, as well as in universities and schools." Overview: The Simpliciti Locked Browser interface jail can be broken out of using simple JavaScript. This vulnerability requires access to a website that is vulnerable to a cross-site scripting (XSS) attack or access to a website that you control. Proof of Concept: The following POC code demonstrates how to force the Locked Browser product into a continuous out of focus state that allows the user to "break out" of the interface jail. While it may initially appear that the user does not have extra control over the PC, the hotkey combination of ctrl+shift+esc will eventually bring up the Windows task manager. <script>while(true){window.blur();}</script> Mitigating strategy: As with any application, run it with minimal privileges. Strictly control the sites that the kiosk has access to. The vendor has confirmed that this vulnerability will be addressed in the next release of the product. Vendor Website: http://www.simpliciti.biz Vendor Communications: 03.20.2006 - Initial vendor notification (info [at] simpliciti.biz) 03.21.2006 - Vendor responded, requesting more information 03.21.2006 - Proof of concept provided to vendor 05.19.2006 - Vendor confirms fix in next release