绿坝漏洞分析报告

     密歇根大学研究人员今日发布了一份绿坝的分析报告，报告中指出了一些绿坝的安全隐患，包括一个可以被远程利用的栈溢出漏洞。这三名研究人员分别是密歇根 大学计算机系的Scott Wolchok, Randy Yao和J. Alex Halderman。漏洞演示地址：http://wolchok.org:8000/。请注意，安装了绿坝的用户，访问上述网址，浏览器将会崩溃（无其它危害）。当然如果精心设置网页，可以直接控制用户电脑。 如果此漏洞被恶意黑客利用，5000万的绿坝用户将可能全部被黑客控制，沦为肉鸡和傀儡。

目前的解决方案是：
1. 关闭绿坝的过滤功能
2. 卸载绿坝(研究也显示软件自身的卸载并不干净)"
根据密歇根大学团队反向工程绿坝的dat加密文件，显示它监视的对象简直是无所不包，监控和屏蔽的网站甚至包括了 download.windowsupdate.com，liveupdate，也就是说它将控制Windows补丁的安装。/.的报道说，中国正在创建世界上最大的僵尸网络。

 

原文地址：
http://www.cse.umich.edu/~jhalderm/pub/gd/

Analysis of the Green Dam Censorware System

Scott Wolchok, Randy Yao, and J. Alex Halderman
Computer Science and Engineering Division
The University of Michigan
Revision 2.4 – June 11, 2009

Summary    We have discovered remotely-exploitable vulnerabilities in Green Dam, the censorship software reportedly mandated by the Chinese government. Any web site a Green Dam user visits can take control of the PC.

According to press reports, China will soon require all PCs sold in the country to include Green Dam. This software monitors web sites visited and other activity on the computer and blocks adult content as well as politically sensitive material.

We examined the Green Dam software and found that it contains serious security vulnerabilities due to programming errors. Once Green Dam is installed, any web site the user visits can exploit these problems to take control of the computer. This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet. In addition, we found vulnerabilities in the way Green Dam processes blacklist updates that could allow the software makers or others to install malicious code during the update process.

We found these problems with less than 12 hours of testing, and we believe they may be only the tip of the iceberg. Green Dam makes frequent use of unsafe and outdated programming practices that likely introduce numerous other vulnerabilities. Correcting these problems will require extensive changes to the software and careful retesting. In the meantime, we recommend that users protect themselves by uninstalling Green Dam immediately.

Green Dam displays this message when it detects banned phrases.
Introduction
Accordingly to recent news reports (NYT, WSJ), the Chinese government has mandated that, beginning July 1, every PC sold in China must include a censorship program called Green Dam. This software is designed to monitor internet connections and text typed on the computer. It blocks undesirable or politically sensitive content and optionally reports it to authorities. Green Dam was developed by a company called Jin Hui and is available as a free download. We examined version 3.17.

How Green Dam Works
The Green Dam software filters content by blocking URLs and website images and by monitoring text in other applications. The filtering blacklists include both political and adult content. Some of the blacklists appear to have been copied from American-made filtering software.

Image filter    Green Dam includes computer vision technology used to block online images containing nudity. The image filter reportedly works by flagging images containing large areas of human skin tone, while making an exception for close-ups of faces. We've found that the program contains code libraries and a configuration file from the open-source image recognition software OpenCV.

Text filter    Green Dam scans text entry fields in various applications for blocked words, including obscenities and politically sensitive phrases (for example, references to Falun Gong). Blacklisted terms are contained in three files, encrypted with a simple key-less scrambling operation. We decrypted the contents of these files: xwordl.dat, xwordm.dat, and xwordh.dat. We also found what appears to be a word list for a more sophisticated sentence processing algorithm in the unencrypted file FalunWord.lib. When Green Dam detects these words, the offending program is forcibly closed and an error image (shown above) is displayed.

URL filter    Green Dam filters website URLs using patterns contained in whitelist and blacklist files (*fil.dat, adwapp.dat, and TrustUrl.dat). These files are encrypted with the same key-less scrambling operation as the blacklists for the text filter. Five of the blacklists correspond to the categories in the content filtering section of Green Dam's options dialog (shown below).

We found evidence that a number of these blacklists have been taken from the American-made filtering program CyberSitter. In particular, we found an encrypted configuration file, wfileu.dat, that references these blacklists with download URLs at CyberSitter's site. We also found a setup file, xstring.s2g, that appears to date these blacklists to 2006. Finally, csnews.dat is an encrypted 2004 news bulletin by CyberSitter. We conjecture that this file was accidentally included because it has the same file extension as the filters.

Security Problems
After only one day of testing the Green Dam software, we found two major security vulnerabilities. The first is an error in the way the software processes web sites it monitors. The second is a bug in the way the software installs blacklist updates. Both allow remote parties to execute arbitrary code and take control of the computer.

Web Filtering Vulnerability
Green Dam intercepts Internet traffic and processes it to see whether visited web sites are blacklisted. In order to perform this monitoring, it injects a library called SurfGd.dll into software that uses the socket API. When a user access a web site, this code checks the address against the blacklist and logs the URL.

We discovered programming errors in the code used to process web site requests. The code processes URLs with a fixed-length buffer, and a specially-crafted URL can overrun this buffer and corrupt the execution stack. Any web site the user visits can redirect the browser to a page with a malicious URL and take control of the computer.

We have constructed a demonstration URL that triggers this problem. If you have Green Dam installed, clicking the button on our demonstration attack page will cause your browser (or tab) to crash.

This proof-of-concept shows that we are able to control the execution stack. An actual attacker could exploit this to execute malicious code.

Green Dam's design makes this problem exploitable from almost any web browser. At this time, the surest way for users to protect themselves is to uninstall Green Dam.

Blacklist Update Vulnerability
We found a second problem in the way Green Dam reads its filter files. This problem would allow Green Dam's makers, or a third-party impersonating them, to execute arbitrary code and install malicious software on the user's computer after installing a filter update. Users can enable automatic filter updates from the Green Dam configuration program.

Green Dam reads its filter files using unsafe C string libraries. In places, it uses the fscanf function to read lines from filter files into a fixed-length buffer on the execution stack. This creates classic buffer-overflow vulnerabilities. For example, if a line in the file TrustUrl.dat exceeds a certain fixed length, the buffer will be overrun, corrupting the execution stack and potentially giving the attacker control of the process.

The filter files can be replaced remotely by the software maker if the user has enabled filter updates. The updates could corrupt these vulnerable files to exploit the problems we found. This could allow Green Dam's makers to take control of any computer where the software is installed and automatic filter updates are enabled. Furthermore, updates are delivered via unencrypted HTTP, which could allow a third party to impersonate the update server (for example, by exploiting DNS vulnerabilities) and take control of users' computers using this attack.

Removing Green Dam
Green Dam allows users who know its administrator password to uninstall the software. We tested the uninstaller and found that it appears to effectively remove Green Dam from the computer. However, it fails to remove some log files, so evidence of users' activity remains hidden on the system.

In light of the serious vulnerabilities we outlined above, the surest way for users to protect themselves is to remove the software immediately using its uninstall function.

Conclusion
Our brief testing proves that Green Dam contains very serious security vulnerabilities. Unfortunately, these problems seem to reflect systemic flaws in the code. The software makes extensive use of programming techniques that are known to be unsafe, such as deprecated C string processing functions including sprintf and fscanf. These problems are compounded by the design of the program, which creates a large attack surface: since Green Dam filters and processes all Internet traffic, large parts of its code are exposed to attack.

If Green Dam is deployed in its current form, it will significantly weaken China's computer security. While the flaws we discovered can be quickly patched, correcting all the problems in the Green Dam software will likely require extensive rewriting and thorough testing. This will be difficult to achieve before China's July 1 deadline for deploying Green Dam nationwide.


--------------------------------------------------------------------------------

Additional Screenshot
Users can configure which categories of web sites are blocked by Green Dam.
Additional filters are used to block adult and politically-sensitive terms in text entry fields.


--------------------------------------------------------------------------------

Acknowledgments
We wish to thank our colleagues at the University of Michigan who alerted us to Green Dam and assisted with translation.
Contacting the Authors
Please send questions or comments to Professor J. Alex Halderman.

 

 

简明中文翻译（建议还是看英文原文）

http://club.cat898.com/newbbs/dispbbs.asp?BoardID=18&id=2859156

 

摘要：

我们发现绿坝中有许多允许远程操作的漏洞，网站可以对使用了绿坝的访问者的电脑进行远程操控。

绿坝由于编写错误，程序中有重大的安全隐患。用户假如安装了绿坝，网站就有可能利用这些问题来操作用户的电脑，例如偷窃私人信息、发送广告等等。此外，绿坝联网更新黑名单的过程也有漏洞，开发者或其他人可以在这一过程中给用户隐秘地安装恶意软件。

我们经过不到12个小时的测试就发现了如上众多隐患，有理由相信这只是冰山的一角。绿坝中频频出现不安全和过时的编程方法，这也可能引发更多问题。要解决这些问题非一日之功，当前我们建议用户们立即卸载绿坝，以保障自己的上网安全。

绿坝工作原理

绿坝过滤有三种方法——网址过滤、网上图象过滤和（多程序）文字监控。过滤列表中不仅包括色情、成人内容，也包括政治信息。

网站图象过滤功能的原理是，搜索图象中与人体肤色相同的面积，假如比重过大就过滤，（脸部特写除外）。经我们研究发现，程序中的代码库和设置等文件来自开源软件OpenCV。

文字过滤涉及众多程序，过滤列表中有许多淫秽字眼和My cc98, myhome.相关词汇。我们已将这些列表解密公布（请点原文连接，找其中的xwordl.dat xwordm.datxwordh.dat，可以直接点开看）。另一个用于较复杂的句子过滤的文件叫FalunWord.lib。当程序中出现这些词句时，程序会被强制关闭，绿坝给出一个警告。

网址过滤：绿坝对于网址过滤有黑名单与白名单，通过一些设置进行处理。

我们发现黑名单中有许多是从美国制作的过滤软件CyberSitter（电子保姆）中取来的。而且，一个加密的设置文件，wfileu.dat，还给出了 CyberSitter网站上的下载地址。我们还发现一个安装文件xstring.s2g，表明这些黑名单最早从2006年就开始收集了。最后，csnews.dat是CyberSitter在2004年的一个新闻消息的加密版本。——我们猜这个文件是因为后缀名和黑名单文件相同而被误放进去的。

安全隐患：

我们只测试了一天就发现了两个重大安全隐患（简介里有提及，懒得翻译了）。

我们建了个测试网站http://wolchok.org:8000
如果你安装了绿坝，点这个地址会造成你的浏览器崩溃。

这证明这一漏洞可以被利用——别有用心者可以通过同样的手段让用户自动运行恶意程序。

目前最安全的方法是卸载绿坝。

此外，更新黑名单列表的过程也有很多漏洞。同样能让用户运行恶意程序，操控用户电脑，等等。

卸载绿坝

我们发现绿坝卸载后还会留下一些记录文件，换言之用户的行为被记录下来后会永远留在电脑里。

结论

绿坝使上网更危险