Remote code execution exploit for Green Dam in the wild

The recently exposed as vulnerable to trivial remotely exploitable flaws Chinese censorware Green Dam, has silently patched the security flaws (China confirms security flaws in Green Dam, rushes to release a patch) outlined in the original analysis detailing the vulnerabilities.

However, not only is the latest Green Dam v3.17 version still vulnerable to remotely exploitable flaws, but also, for over a week now a working zero day exploit (Exploit.GreenDam!IK; W32/GreenDam.A) has been circulating in the wild.

Here are more details on the remote code execution flaw in the latest version:

"Green Dam intercepts Internet traffic using a library called SurfGd.dll. Even after the security patch, SurfGd.dll uses a fixed-length buffer to process web site requests, and malicious web sites can still overrun this buffer to take control of execution. The program now checks the lengths of the URL and the individual HTTP request headers, but the sum of the lengths is erroneously allowed to be greater than the size of the buffer. An attacker can compromise the new version by using both a very long URL and a very long "Host" HTTP header. The pre-update version 3.17, which we examined in our original report, is also susceptible to this attack."

According to Green Dam's official web site, the latest 3.17 version which still remains exploitable, has already been downloaded 426,138 times, combined with raw data on over 7,172,500 downloads of the previously vulnerable version, the current situation could easily turn the "Great Botnet of China" from theory into practice if the exploits ends up embedded within a web malware exploitation kit.