lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 7 Oct 2014 10:50:34 -0700
From: "Constantine A. Murenin" <mureninc@...il.com>
To: fulldisclosure@...lists.org, PSIRT@...be.com
Subject: [FD] Adobe Acrobat XI on Uniguest Secured Advantage 7 privacy issue
 at Marriott et al

Dear fulldisclosure at seclists, PSIRT at adobe,

Whilst staying at two different Marriott branded properties within the
US, it has come to my attention that their kiosk software is quite
misleading about respecting the privacy of its users in the shared
setting that it's in.

The kiosk appears to be powered by "secured advantage 7", "(c) 2013
Uniguest Inc.".  Adobe Reader XI, Version 11.0.3.

0. Within "work", open "Word"; repeat for "Reader".
1. Do your stuff in Word / Reader:
 * Word: create a new document (to print it out).
 * Acrobat: File, Open, "http://your-server" -- open up a private PDF
from a secret address.
2. Click the "logout" text button on the screen.
3. Receive the following alert:

<<
SiteKiost (IE)
Are you sure you want to quit all applications and log out now?
For your security, all personal information stored on this computer
will be deleted.
>>

4. Click "OK" on the above alert, the following screen appears:

<<
Logging out.
Your personal information is being removed.
>>

After a long delay, it logs back in.

Strangely enough, both Word and Acrobat remain open. (!)

The Word document shows up in full (!), with a new dialogue:

<<
Microsoft Office Word
Do you want to save the changes to Document1?
>>

(I haven't tried if you could quickly save it whilst the dialogue is
still there; with how horrendously slow this whole kiosk thing is, I
won't be surprised if that timing attack factor is entirely
plausible.)

Subsequently, after a couple of seconds, Words disappears for good.
(Well, at least that's good.)  However, Acrobat remains; shows the
exact same document it was left behind with! (!)

Additionally, although the list of recent documents appears to be
rightfully disabled within Acrobat's File menu, as well as the welcome
screen, such list still does appear within the drop-down menu of the
recently opened items within File-Open itself.

In the case of flash drives, this just reveals the names of the files
that are hopefully no longer accessible.  However, in the case of
"http://" address scheme, access to your complete documents can still
be gained by any subsequent guests. (!)  Also, quitting Reader has no
effect on this list. (!)  Quitting Reader and clicking "logout" has no
effect, either. (!)

Apart from Uniguest, this appears to be an issue with Adobe Reader:

****  There is no way to remove recent items from this drop down list
in File Open in Adobe Reader XI.  Neither Backspace nor Delete perform
any kind of item deletion.  All "http://your-server" items appear
exposed.  This is obviously an Adobe privacy issue that appears to be
irrespective of Uniguest.  ****

I don't have much time to devote to this issue; I'm not sure if it has
already been reported or not; any info is welcome.  Specifically, as a
user of this system, I'd be interested in knowing a way to delete this
personal information from Reader.

P.S.  Marriott, if you're reading this:  please get rid of this broken
kiosk software and the horrendous Internet Explorer.  Please find a
kiosk vendor that at least does Google Chrome / Firefox / SeaMonkey
etc, at least as an option.  I should be able to just safely load a
PDF within the browser itself.  Instead, for whatever reason, the
Internet Explorer that's installed in your kiosk does not appear to be
capable of displaying PDFs; it appears to simply save them, without
even launching Reader afterwards; so, you have to launch Reader
yourself, and then the kiosk software fails to stop it on logout,
leaving my private information available and exposed for inspection by
the next guest.

Cheers,
Constantine.

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ