Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kiosk escape (vulnerability disclosure) #434

Closed
Notselwyn opened this issue Jul 12, 2022 · 13 comments
Closed

Kiosk escape (vulnerability disclosure) #434

Notselwyn opened this issue Jul 12, 2022 · 13 comments
Assignees
Labels
bug This issue describes a bug in the software.
Projects
Milestone

Comments

@Notselwyn
Copy link

Hi there. I'm a Dutch IT student and security employee for a learning management system (LMS), and I found a kiosk escape issue/bug tested in SEB (v3.2.2) for Windows Home (10.0.19044) which allows a user in SEB to quit it without the quitting password. I'm a strong believer in coordinated vulnerability disclosure and I do not want to publish this issue in public (so people will take advantage of it). Do you have an email address where I can report it?

@dbuechel
Copy link
Member

Thanks for reaching out to us before publishing your findings. Please feel free to contact us under info at safeexambrowser dot org.

@Notselwyn
Copy link
Author

I can't find any contact information besides the Github repo. Can you please drop a hint where I can find it? ;-)

@danschlet
Copy link
Member

@dbuechel meant the e-mail address info at safeexambrowser dot org. at=@ dot=.

@Notselwyn
Copy link
Author

Alright. I'm sending the email now

@dbuechel dbuechel added the bug This issue describes a bug in the software. label Jul 13, 2022
@dbuechel dbuechel added this to the 3.4.0 milestone Jul 13, 2022
@dbuechel dbuechel added this to To do in SEB 3.4.0 via automation Jul 13, 2022
@dbuechel dbuechel moved this from To do to Done in SEB 3.4.0 Jul 26, 2022
@dbuechel
Copy link
Member

@Notselwyn We were able to fix the vulnerability, please feel free to test it in the latest beta version.

@dbuechel
Copy link
Member

dbuechel commented Aug 5, 2022

A fix for the issue is now available in version 3.4.0.

@dbuechel dbuechel closed this as completed Aug 5, 2022
@Notselwyn
Copy link
Author

Update: the issue got assigned CVE-2022-36220. It took MITRE relatively long, but it's here👍

@Notselwyn
Copy link
Author

I've asked MITRE to publish it so that it won't say reserved anymore and give basic descriptions with a reference. Should be updated soon

@Notselwyn
Copy link
Author

CC @dbuechel (notif)

@dbuechel
Copy link
Member

Excellent, that's great to know! Thanks again for the constructive and proactive collaboration, it is indeed highly appreciated!

@Notselwyn
Copy link
Author

You're welcome :p Thank you for the fast response times as well. Perhaps it could be useful for organisations if you put the CVE in the v3.4.0 release notes over at https://safeexambrowser.org/windows/win_release_notes_en.html so they know they should update the SEB version.

@dbuechel
Copy link
Member

Yes, that's a good idea, thanks for the input. I'll forward it to our internal responsible and see what they think about marking this release respectively on our website.

@Notselwyn
Copy link
Author

Notselwyn commented Aug 22, 2022

Are you okay with it if make an HackTheBox machine oriented around the CVE? e.g. the player has to perform a virtual kiosk escape in SEB as a foothold technique. Below are the pro's and cons of it (if the box gets accepted by HTB) in my POV:
The pro's:

  • You may receive more bug reports as hundreds of hackers will take a look at SEB

The cons:

  • Players will probably release an exploit for the CVE in their write-up for the machine

After submission it should take another 3 months before the box gets released, so hopefully enough institutions will have updated to SEB v3.4.0 .

Finally, sorry for keeping this closed issue alive for over a month :-) .

PS: The CVE just got CVSSv3 rated at 9.8 (very critical) by the US gov's https://nvd.nist.gov/vuln/detail/CVE-2022-36220. They included a list of 41 vulnerable SEB versions FYI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue describes a bug in the software.
Projects
No open projects
Development

No branches or pull requests

3 participants