Green Dam exploit in the wild

A buffer overflow exploit for the Chinese censorware is circulating online, as university researchers warn the software remains vulnerable to a flaw
Written by Tom Espiner, Contributor

An exploit for a flaw in censorware mandated by the Chinese government has been made publicly available for download on the internet.

The buffer overflow flaw exists in the latest, patched version of Green Dam, 3.17, according to security researcher 'Trancer', who claims authorship of the attack code.

"I wrote a Metasploit exploit module for Internet Explorer, which exploits this stack-based, buffer overflow vulnerability in Green Dam 3.17," Trancer wrote in his Recognize-Security blog. "I've tested this exploit successfully on the following platforms: IE6, Windows XP SP2, IE7, Windows XP SP3, Windows Vista SP1."

The attack code, which has been posted to the Milw0rm website for proof-of-concept exploits, has been circulating in the wild for a week, according to security consultant and ZDNet blogger Dancho Danchev.

The Chinese government has ordered Green Dam censorware, billed as a pornography filter, to come preinstalled on all PCs sold in the country from 1 July. Jinhui Computer System Engineering, which produces the software, patched Green Dam after a team from the University of Michigan exposed a buffer overflow flaw in it.

Last week, the researchers said in an addendum to their original paper that despite this patch, the software remains vulnerable to buffer overflow attacks, which indicates that Green Dam's security problems "run deep".

Green Dam intercepts internet traffic using a library called SurfGd.dll. Even after the patch, SurfGd.dll still uses a fixed-length buffer to process website requests, the researchers explained. Malicious websites could overrun this buffer to take control of the execution of applications on a target computer.

"The program now checks the lengths of the URL and individual HTTP request headers, but the sum of the lengths is erroneously allowed to be greater than the size of the buffer," wrote the researchers. "An attacker can compromise the new version by using both a very long URL and a very long 'Host' HTTP header. The pre-update version, 3.17, which we examined in our original report, is also susceptible to this attack."

Green Dam is also vulnerable to a blacklisting flaw, identified by University of Michigan researchers Scott Wolchok, Randy Yao and J Alex Halderman, which could allow third parties to upload malware via an innocuous-seeming update.

Western security experts have greeted the censorware with criticism. Bruce Schneier, BT's chief security technologist, told ZDNet UK the software could allow the creation of a massive botnet, either by web criminals or even by the Chinese government. "Suddenly you have an army of a couple of billion computers," said Schneier. "This should worry all of us."

Editorial standards