Get Smart about Business Spending
Green Dam exploit in the wild
An exploit for a flaw in censorware mandated by the Chinese government has been made publicly available for download on the Internet.
The buffer overflow flaw exists in the latest, patched version of Green Dam, 3.17, according to security researcher "Trancer," who claims authorship of the attack code.
"I wrote a Metasploit exploit module for Internet Explorer, which exploits this stack-based, buffer overflow vulnerability in Green Dam 3.17," Trancer wrote in his Recognize-Security blog. "I've tested this exploit successfully on the following platforms: IE6, Windows XP SP2, IE7, Windows XP SP3, Windows Vista SP1."
The attack code, which has been posted to the Milw0rm Web site for proof-of-concept exploits, has been circulating in the wild for a week, according to security consultant and ZDNet blogger Dancho Danchev.
The Chinese government has ordered Green Dam censorware, billed as a pornography filter, to come preinstalled on all PCs sold in the country beginning July 1. Jinhui Computer System Engineering, which produces the software, patched Green Dam after a team from the University of Michigan exposed a buffer overflow flaw in it.
Last week, the researchers said in an addendum to their original paper that despite this patch, the software remains vulnerable to buffer overflow attacks, which indicates that Green Dam's security problems "run deep."
Green Dam intercepts Internet traffic using a library called SurfGd.dll. Even after the patch, SurfGd.dll still uses a fixed-length buffer to process Web site requests, the researchers explained. Malicious Web sites could overrun this buffer to take control of the execution of applications on a target computer.
"The program now checks the lengths of the URL and individual HTTP request headers, but the sum of the lengths is erroneously allowed to be greater than the size of the buffer," wrote the researchers. "An attacker can compromise the new version by using both a very long URL and a very long 'Host' HTTP header. The pre-update version, 3.17, which we examined in our original report, is also susceptible to this attack."
Green Dam is also vulnerable to a blacklisting flaw, identified by University of Michigan researchers Scott Wolchok, Randy Yao, and J. Alex Halderman, which could allow third parties to upload malware via an innocuous-seeming update.
Western security experts have greeted the censorware with criticism. Bruce Schneier, BT's chief security technologist, told ZDNet UK the software could allow the creation of a massive botnet, either by Web criminals or even by the Chinese government. "Suddenly you have an army of a couple of billion computers," said Schneier. "This should worry all of us."
Tom Espiner of ZDNet UK reported from London.
Do you have any idea how big MS code base is compared to Green Dam.
Apple is the most proprietary companies you can purchase products from...
really? So where can I find the Microsoft-published specs and example code for building an app to open MS Office document formats (especially .doc, .xls, .ppt, and the like)? Furthermore, if they exist, will they be usable without Windows?
Oh, wait - they don't have them? You can't? Okay - how about the same goods for DirectX content, so that a translation layer can be built to use DirectX content on non-MS operating systems?
Nothing there either? Hmm... okay, how about Exchange? Does Microsoft have all the specs published and open so that one can build an app that reads from and writes to an Exchange database like Outlook can? You mean they demand absolute and exclusive access to that too!? (hint: even with OWA, you're stuck with the "Light" version unless you use Internet Explorer).
Well, crap. How about MS Access? It would be real nice to build a client that can open and convert Access databases... does Microsoft publish open file specs and sample code for that? Oh, they don't do that either?
Wow - for a company that you allege to be so open about access to content, Microsoft sure isn't living up to your assertions...
What does any of that have to do with content?
Sorry, but you are COMPLETELY WRONG. Microsoft indeed publishes file format specifications for Word, Excel, PowerPoint, and the like. You can download full specs for .doc, .ppt, .xls, etc. (both the old BINARY format and the new XML international standards versions.) Yes, Access (.mdb) format is also open and available.
See: http://www.microsoft.com/interop/osp/default.mspx
For example, here's the PowerPoint .ppt format: http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/PowerPoint97-2007BinaryFileFormat(ppt)Specification.pdf
What about Exchange you say? Exchange 2007 Protocols have been open since last year. See http://www.microsoft.com/protocols/default.mspx
So please take this ignorant FUD elsewhere. You have ZERO CREDIBILITY left here.
IfF you don't know how, then you don't know much about how programs actually work ;)
@mbenedict:
nice attempt, but if you actually open any of those alleged "specifications", you'll notice something. Well, a lot of somethings:
* "Patents. Microsoft has patents that may cover your implementations of the formats. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents"
* Incomplete/missing documentation (See also OOo and their strict adherence to those alleged "specifications", yet files written with MS Office still don't line up in too many cases). Complete specs would have eliminated that (see also the OOo mailing list, which almost constantly complains of this).
* You alleged cite of the Exchange 2007 "specifications" also comes with a big, fat patent barrier, and contains nothing about accessing the .mdb (as I had noted before). IF you can locate it, kindly do so, instead of pointing to a page loaded with nebulous statements.
"Microsoft irrevocably promises NOT TO ASSERT any Microsoft Necessary Claims against you for making, using, selling, offering for sale, importing or distributing any implementation to the extent it conforms to a Covered Specification [...] To clarify, ?Microsoft Necessary Claims? are those claims of Microsoft-owned or Microsoft-controlled PATENTS that are necessary to implement only the required portions of the Covered Specification"
On EXCHANGE: I already posted the link to the Open Protocols. Go look up the Exchange APIs.
BY THE WAY, Random_Walk... the company you shill for, Apple, USED to publish iWork formats (such as the Keynote apxl v1 file format), but Apple decided to migrate to new, incompatible, UNPUBLISHED formats that's now FULLY CLOSED, for the sole purpose of breaking any other 3rd party applications which could compete with Apple.
What's up with that, HUH???? Apple... hello.... PROPRIETARY.... hello????
- by n3td3v June 25, 2009 12:52 PM PDT
- Bruce Schneier, are you saying hackers couldn't create a massive bot net via China without Green Dam, come on, where do you think the reports of espionage were coming from. Some people blamed China directly for spying on British Telecom and other western interests, but its likely it was foreign intelligence outside of China compromising Chinese hosts to spy on interests in the west.
- Like this Reply to this comment
-
-
- by mbenedict June 25, 2009 3:26 PM PDT
- A "massive" botnet today might contain a few million zombies. That's about the practical limit that hackers can achieve, given the realities of today's infrastructure (rate of propagation vs. the number of unpatched machines vs. network topology, etc.) Even Conficker, by far the most sophisticated bot in the wild so far (from a control perspective), could only manage anywhere between 1 and 4.5 million machines depending on the measurement methodology.
- Like this
-
(15 Comments)With Green Dam, a hacker organization could conceivably create a botnet with a *billion* zombie machines. That's a few magnitudes higher than ANYTHING we've ever seen in the wild.
The only bright side would be... virtually all of those machines would be located in China. If a billion Chinese machines do become part of a botnet, the entire country would be disconnected from the 'net.