Jay Little - Software Obsessionist
CompUSA's kiosk security sucks
Post Icon

12/18/2003 02:17:09

Thats right. I've managed to do it again. The AOL kiosks used at CompUSA have a security hole that allows you full Admin access to the local box and access to their entire internal corporate network.

Simply go to the web browser portion of the AOL kiosk software and browse to a PDF file. This will open up Adobe Acrobat reader within the browser. Click on the button which links you to the Adobe homepage. This will bring up another browser window. Using this window you can navigate the contents of the local harddrive by typing c: into the address bar. From here you can execute c:\winnt\system32\cmd.exe and run anything you want easily.

The default user on the machine has Admin access. This is a VERY VERY VERY bad thing. As you can imagine I'm typing all of this from here within CompUSA and not a one of their clueless employees have noticed. Sucks to be them.

Oh well - here's hoping they fix the bug since I managed to broadcast a domain wide message instructing them to do so. Best buy still hasn't fixed theirs so I'm guessing CompUSA won't do much better.


[Top] [Rss] [Email]