Simpliciti Locked Browser Jail Breakout Vulnerability
ESRL

Discovery Date: March 20, 2006
Discovery By: Adam Baldwin (adam_baldwin@evilpacket.net)

Versions Effected: All versions

Background:
Simpliciti Locked Browser is a product that provides "no-programming
required PC lockdown..." functionality for common-access PCs or
kiosks. "You can quickly create a limited or restricted Internet usage
environment for users in places such as retail kiosks, libraries,
self-serve banks, hospitals, and clinics, as well as in universities
and schools."

Overview:
The Simpliciti Locked Browser interface jail can be broken out of
using simple JavaScript. This vulnerability requires access to a
website that is vulnerable to a cross-site scripting (XSS) attack or
access to a website that you control.

Proof of Concept:
The following POC code demonstrates how to force the Locked Browser
product into a continuous out of focus state that allows the user to
"break out" of the interface jail. While it may initially appear that
the user does not have extra control over the PC, the hotkey
combination of ctrl+shift+esc will eventually bring up the Windows
task manager.

  <script>while(true){window.blur();}</script>

Mitigating strategy:
As with any application, run it with minimal privileges. Strictly
control the sites that the kiosk has access to. The vendor has
confirmed that this vulnerability will be addressed in the next
release of the product.

Vendor Website: http://www.simpliciti.biz

Vendor Communications:
03.20.2006 - Initial vendor notification (info [at] simpliciti.biz)
03.21.2006 - Vendor responded, requesting more information
03.21.2006 - Proof of concept provided to vendor
05.19.2006 - Vendor confirms fix in next release