The Smiley Face Backdoor

MichaelLearns_
3 min readJan 6, 2024

--

As I was preparing for my eJPT certification over the last few months, I encountered this very memorable backdoor for a network service application. I would like to call it ‘the Smiley Face Backdoor’ as you can see why in a moment.

FTP and vsFTPd

File service protocol is a network service protocol used to transfer files across from a source to destination. It is using port 21 for the communications control and port 20 for the data transfer 1. FTP is such a ubiquitous and very useful protocol thus many applications are designed to use this service. One of these is the vsFTPd or very secure File Transfer Protocol Daemon. According to ArchLinux, it is “s a lightweight, stable and secure FTP server for UNIX-like systems” 2.

vsFTPd v. 2.3.4

The problem now comes with the vulnerable vsFTPd version 2.3.4. Running my Kali Linux and searching for an exploit for this particular application yields the following:

searchsploit result for vsftpd 2.3.4

As you can see, the searchploit yields two available exploit; the first one is a python file that you can copy and use manually to a vulnerable system. The second one is available via metasploit.

Exploit-db gives the following description of the issue:

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011. 3

Going back to the python code of the searchsploit 49757.py, we can observe the following code

Here we can notice two things. (1) Notice the variables defined. We have a variable user that has a string value “USER nergal:)” and password, again with a string value “PASS pass”. (2) Notice as well the variable tn2 that calls a function Telnet that is used to execute a remote session to port 6200.

So What is Happening Here?

Well apparently between June 30th 2011 and July 1st 2011, this version of the vsftpd had a backdoor that opens up port 6200 remotely if a username credentials has been entered and then preceeded by a value of “ :) “

Example: user:) or admin:) or shdjhasdhahdjsa:)

A snippet of the malicious code is shown below 4 :

The conditional statement will run the function vsf_sysutil_extra() if 0x3a and 0x29 has been entered. This function then initiates a remote session via port 6200. Interestingly, 0x3a and 0x29 is equivalent to :) as shown in a simple cyber chef conversion below:

The exploit both from metasploit and the manual exploit take advantage of this backdoor to gain access to the system.

And thus the history and story of the Smiley Face Backdoor.

Definitely not something to smile about if you are a systems administrator using this service :)

References:

https://upload.wikimedia.org/wikipedia/commons/thumb/e/e0/SNice.svg/330px-SNice.svg.png

https://opensource.com/article/18/10/common-network-ports

https://wiki.archlinux.org/title/Very_Secure_FTP_Daemon

https://subscription.packtpub.com/book/security/9781786463166/1/ch01lvl1sec18/vulnerability-analysis-of-vsftpd-2-3-4-backdoor

--

--