点击劫持：潜在有害的网页浏览器漏洞利用

Clickjacking: Potentially harmful Web browser exploit

点击劫持：潜在有害的网页浏览器漏洞利用

 

Author: Michael Kassner

作者：Michael Kassner

 

翻译：endurer，2008-11-19 第一版

 

Category: General, security, News

类别：常规，安全，新闻

 

Tags: Malicious Web Site, Web Browser, Spy, Clickjacking, Web Browsers, Internet, Michael Kassner, Adobe Systems Inc., Web, Vulnerability

标签：来意网站，网页浏览器，间谍（软件），点击劫持，互联网，Michael Kassner，Adobe Systems Inc., 网页, 漏洞

 

英文来源：http://blogs.techrepublic.com.com/networking/?p=700&tag=nl.e102

 

Clickjacking has the potential to redirect unknowing users to malicious Web sites or even spy on them. We all need to be aware of clickjacking and how to avoid its trappings.

 

点击劫持可能会将不知真相的用户重定向到恶意网站，这些网站上甚至有间谍软件。我们全都需要留意点击劫持以及如何避免其中的陷井。

 

——————————————————————————————————————-

 

TechRepublic’s Paul Mah made first mention of clickjacking in this Security News Roundup. At that time, security researchers Robert Hansen, founder of SecTheory, and Jeremiah Grossman, CTO of WhiteHat Security, weren’t able to divulge a great deal about the vulnerability, as they were in talks with the major browser developers as well as Adobe. I’d like to personally commend them for making the choice to act responsibly and give developers time to fix the problems.

 

TechRepublic的Paul Mah率先在本期安全新闻综述中提到点击劫持。当时，安全研究者、SecTheory创始人Robert Hansen，和WhiteHat Security的首席技术官Jeremiah Grossman不能泄露漏洞的许多信息，因为他们正与主要浏览器开发者及Adobe讨论。我个人乐于促成他们做出激活响应的选择，并且给开发者们时间来修复问题。

 

《endurer注：1、mention of：提及…

2、SecTheory：安全顾问公司

3、WhiteHat Security：网站安全服务领域的领先提供商，总部位于加利福尼亚州的圣克拉拉市。》

 

What is clickjacking?

什么是点击劫持?

 

Clickjacking takes advantage of the fact that a Web page isn’t just two-dimensional. Web pages have virtual depth, and that’s where clickjacking lives. Clickjacking uses a vulnerability that allows code to be embedded on a Web page, changing how the Web page responds to input. In the following quote by the researchers, one can see the extent and variations of clickjacking that are possible:

 

点击劫持利用了网页不仅是2维空间这一事实。网页有虚拟深度，并且这就是点击劫持得以存在之处。点击劫持使用了允许代码嵌入到网页，从而改变网页响应用输入的漏洞。在下面源自研究者的引述中，可以看到可能点击劫持的程度和变化：

 

《endurer注：1、take advantage of：趁机利用》

 

“First of all let me start by saying there are multiple variants of clickjacking. Some require cross domain access, some don’t. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don’t. Some variants use CSRF to pre-load data in forms, some don’t. Clickjacking doesn’t cover any one of these use cases, but rather all of them. That’s why we had to come up with a new term for it — like the term or not. As CSRF didn’t fit the requirements for clickjacking, we had to come up with a new term to avoid confusion.”

 

首先，让我们从存在多种点击劫持说起。有些要求跨域访问，有些不需要。有些把整个网页覆盖在一个网页上，有些使用内置页框让你点击一个位置。 有些要求JavaScript，有些不。一些变种使用CSRF预先加载数据到表单，有些则没有。 点击劫持不适用于上述任何一个使用案例，而是所有。这就是为什么我们不得不为它想出一个新的名词-似是或非。由于CSRF不适合点击劫持的要求，我们不得不想出一个新名词，以避免混乱。

 

For example, let’s say I’m on what appears to be my banking Web site. I then click on a button that brings me to my accounts. The only problem is that button didn’t bring me to my accounts; it brought me to a page that looks like my account or it carried out a completely different operation than what I expected. Robert Hansen gave an interesting example of what’s possible with clickjacking:

 

例如，让我们说说我在银行网站上会出现什么。我点击进入帐户的按钮；打开看起来像我的帐户，或进行了一些与我预期完全不同的操作的页面。Robert Hansen给出了一个点击劫持可能出现什么的有趣的例子：

 

《endurer注：1、carried out：进行(贯彻)》

 

“Say you have a home wireless router that you had authenticated prior to going to a legitimate web site. The attacker places a tag under your mouse that frames in a single button that could order the router to, for example, delete all firewall rules. That would give them an advantage in an attack.”

 

话说你有一个家庭无线路由器，你已经认证要到一个合法的网站。攻击者在你的鼠标下方放置一个标记,设计一个可以命令路由器的按钮，例如，删除所有防火墙规则。这将使他们在攻击中得到一大优势。

 

The second example is more insidious as attackers wouldn’t have to worry about mimicking or compromising legitimate Web sites.

 

第二个例子更加阴险，因为攻击不必费心来模仿或折衷合法网站．

 

Smile, you’re on candid camera

笑容，你映在忠实的镜头中

 

You may have been wondering why I mentioned Adobe earlier. Well, they’re in the middle of this vulnerability, too. Exploiting a vulnerable version of Flash Player software with clickjacking could allow the attacker to turn on computer-connected webcams and microphones, actually spying on the user.

 

你可能在猜想我先前为什么提到Adobe。是这样，它们也在这个漏洞的当中。利用有漏洞版本的Flash播放器软件加上点击劫持可以允许攻击者打开接在电脑上的网络摄像头和麦克风，实际上在窥探用户。

 

 

This vulnerability is already out in the wild; Flash developer Guy Aharonovsky published a proof-of-concept (PoC) demonstration on his Guya.net Wweb site. The actual demonstration is currently disabled, but the video depicts how the attack occurs. There are several interesting comments and references to other articles about clickjacking on the Guya Web site as well.

 

这个漏洞已经传开了；Flash开发者Guy Aharonovsky在他的Guya.net网站上公布了。真实的演示现在被禁止了，但视频描述了攻击如何发生。在Guya的网站上还有一些有趣的评论和与点击劫持有关的文章的引用。

 

《endurer注：1、in the wild：在自然环境下》

 

TechRepublic editor Selena Frye’s recent article “Flash Player 10 Performing Better on Linux, Mac OS” mentions several reasons why the new release is significant. Flash Player 10 is also significant because of the code Adobe recently added to eliminate the clickjacking vulnerability. In fact, in the security bulletin “Flash Player Update Available to Address Security Vulnerabilities” released on October 15, 2008, Adobe pointed out the only recourse users have is to update to version 10 of Flash Player. If you want to know what version of Flash Player is installed on your computer and where to download the latest version, you can do so at the Adobe Flash Player Web site.

 

TechRepublic编辑Selena Frye近期的文章“Flash播放器10在Linux，Mac OS上表现更好”中谈到几个原因说明新发布的是有意义的。Flash播放器也确实是有意义的，因为最近Adobe添加了排除点击漏洞劫持的代码。实际上，在2008年10月15日发布的安全公报“Flash播放器更新版本解决安全漏洞”中，Adobe 指出唯一的办法是用户已经升级到10版本的Flash播放器。如果你想知道计算机上安装的Flash Player是什么版本的并下载最新版本，你可以在Adobe Flash Player网站上做这些。

 

More Clickjacking details

更多点击劫持的细节

 

When Mr. Grossman and Mr. Hansen initially presented the details of this vulnerability, Adobe asked them to not go public with the exploit until they (Adobe) had a fix. With the release of the PoC on the Guya Web site and almost simultaneous release of Flash Player 10, the researchers finally didn’t have any reason not to discuss the details of the vulnerability. You can read about all 12 issues at the ha.ckers.org Web site.

 

当Grossman先生和Hansen先生最初提出了这个漏洞的细节，Adobe叫他们不要公开这个漏洞利用，直到Adobe修复后。随着PoC在Guya网站的发布，和几乎同时释放的Flash Player 10，研究人员最终没有任何理由不讨论的该漏洞的细节。在ha.ckers.org网站上你可以读到所有12个问题。

 

《endurer注：1、POC：Proof of Concept》

 

How to eliminate the vulnerability?

如何消除这个漏洞？

 

The one obvious fix is to update to Flash Player 10 if at all possible. As for Web browsers, it’s more difficult. If you’re using Firefox, I’d suggest upgrading to version 3 and installing all the latest patches. You may have heard me mention NoScript before. Giorgio Maone the developer of NoScript has been in contact with Mr. Grossman, and both are of the mind that NoScript will in almost all cases prevent clickjacking attacks. The only problem is that NoScript isn’t intuitive, and a majority of users will get frustrated with it almost immediately.

 

一个显而易见的修复方法是尽可能地升级到Flash Player第10版。至于网络浏览器，则要困难得多。如果你使用Firefox ，我会建议升级至第3版，并安装所有最新的补丁。您可能已经听我在之前提到NoScript 。NoScript开发者Giorgio Maone一直在与Grossman联系，二者的想法都是， NoScript将会在几乎所有情况下防止点击劫持攻击。唯一的问题是， NoScript不直观，大多数用户几乎一用就立即遇到麻烦。