Several bugs in Green Dam discovered by foreigners

Document directory

• Revision 2.4-June 11,200 9
• Web filtering vulnerability
• Blacklist update Vulnerability
• Acknowledgments
• Contacting the authors

Analysis of the Green Dam censorware System

Analysis of the Green Dam censorware systemscott wolchok
, Randy Yao
, And J. Alex halderman

Computer Science and Engineering Division

The University of michiganrevision 2.4-June 11,200 9

Summary

We
Have discovered remotely-exploitable vulnerabilities in Green Dam,
Censorship software reportedly mandated by the Chinese government.
Any web site a Green Dam user visits can take control of the PC.

According to press reports, China will soon require all PCs sold in
The country to include Green Dam. This software monitors Web
Sites visited and other activity on the computer and blocks adult
Content as well as politically sensitive material.

We examined the Green Dam software and found that it contains serious
Security vulnerabilities due to programming errors. Once Green Dam is
Installed, any Web site the user visits can exploit these problems
Take control of the computer. This cocould allow malicious sites
Steal private data, send spam, or enlist the computer in a botnet. In
Addition, we found vulnerabilities in the way Green Dam Processes
Blacklist updates that cocould allow the software makers or others
Install malicious code during the update process.

We found these problems with less than 12 hours of testing, and we
Believe they may be only the tip of the iceberg. Green Dam makes
Frequent use of unsafe and outdated programming practices that likely
Introduce numerous other vulnerabilities. correcting these problems
Will require extensive changes to the software and careful retesting.
In the meantime, we recommend that users protect themselves
Uninstalling Green Dam immediately.

Green Dam displays this message when it detects banned phrases.

Introduction

Accordingly to recent news reports
(NYT
, Wsj
),
The Chinese Government has mandated that, beginning July 1, every PC
Sold in China must include a censorship program called Green Dam.
This software is designed to monitor Internet connections and text
Typed on the computer. It blocks undesirable or politically sensitive
Content and optionally reports it to authorities. Green Dam was
Developed by a company called Jin Hui and is available
A free
Download
. We examined version 3.17.

How Green Dam Works

The Green Dam software filters content by blocking URLs and website
Images and by monitoring text in other applications. The Filtering
Blacklists include both political and adult content. Some of
Blacklists appear to have been copied from American-made Filtering
Software.

Image Filter
Green Dam des Computer Vision
Technology used to block online images containing nudity. The image
Filter
Reportedly
Works by flagging images containing large areas
Human skin tone, while making an exception for close-ups
Faces. We 've found that the program contains code libraries and
Configuration file from the open-source Image
Recognition software opencv.

Text Filter
Green Dam scans text entry fields
In various applications for blocked words, including obscenities and
Politically sensitive phrases (for example, references to Falun
Gong). blacklisted terms are contained in three files, encrypted
A simple key-less scrambling operation. We decrypted the contents
These files:
Xwordl. dat
,
Xwordm. dat
, And
Xwordh. dat
. We also found what appears
Be a word list for a more sophisticated sentence Processing Algorithm
In the unencrypted file
Falunword. Lib
. When Green Dam detects
These words, the offending program is forcibly closed and an error Image
(Shown above) is displayed.

URL Filter
Green Dam filters website URLs using
Patterns contained in whitelist and blacklist files
(* Fil. dat
,Adwapp. dat
,
AndTrusturl. dat
). These files are encrypted with the same
Key-less scrambling operation as the blacklists for the text
Filter. Five of the blacklists correspond to the categories in
Content Filtering section of Green Dam's Options dialog (shown below
).

We found evidence that a number of these blacklists have been taken
From the American-made filtering program CyberSitter. In particle,
We found an encrypted Configuration
File, wfileu. dat
, That references these
Blacklists with download URLs at CyberSitter's site. We also found
Setup File, xstring. s2g
, That
Appears to date these blacklists
2006. Finally, csNews. dat
Is
Encrypted 2004 news bulletin by CyberSitter. We conjecture that this
File was accidentally authorized ded because it has the same file extension
As the filters.

Security problems

After only one day of testing the Green Dam software, we found two major
Security Vulnerabilities. The first is an error in the way
Software processes Web sites it monitors. The second is a bug in
Way the software instils blacklist updates. Both allow remote
Parties to execute arbitrary code and take control of the computer.

Web filtering vulnerability

Green Dam intercepts Internet traffic and processes it to see
Whether visited web sites are blacklisted. In order to perform this
Monitoring, it injects a library calledSurfgd. dll
Into
Software that uses the socket API. When a user access a Web site,
This code checks the address against the blacklist and logs the URL.

We discovered programming errors in the code used to process web site
Requests. The Code processes URLs with a fixed-length buffer, and
Specially-crafted URL can overrun this buffer and upload upt
Execution stack. Any web site the user visits can redirect
Browser to a page with a malicious URL and take control of
Computer.

We have constructed a demonstration URL that triggers this problem.
If you have Green Dam installed, clicking the button
On ourDemonstration attack page

Will cause your browser (or tab) to crash.

This proof-of-concept shows that we are able to control
Execution stack. An actual attacker cocould exploit this to execute
Malicious code.

Green Dam's design makes this problem exploitable from almost any
Web browser. At this time, the surest way for users to protect
Themselves is to uninstall Green Dam.

Blacklist update Vulnerability

We found a second problem in the way Green Dam reads its Filter
Files. This problem wocould allow Green Dam's makers, or a third-party
Impersonating them, to execute arbitrary code and install malicious
Software on the user's computer after installing a filter update.
Users can enable automatic IC filter updates from the Green Dam
Configuration program.

Green Dam reads its filter files using unsafe C string libraries.
In places, it usesFscanf
Function to read lines from
Filter files into a fixed-length buffer on the execution stack. This
Creates classic buffer-overflow vulnerabilities. For example, if
Line in the fileTrusturl. dat
Exceeds a certain fixed length,
The buffer will be overrun, corrupting the execution stack and
Potentially giving the attacker control of the process.

The filter files can be replaced remotely by the software maker if
The user has enabled filter updates. The updates cocould
Upload upt these vulnerable files to exploit the problems we
Found. This cocould allow Green Dam's makers to take control of any
Computer where the software is installed and automatic filter updates
Are enabled. Furthermore, updates are delivered via unencrypted
HTTP, which cocould allow a third party to impersonate the Update Server
(For example, by exploiting DNS vulnerabilities) and take control
Of users 'computers using this attack.

Removing Green Dam

Green Dam allows users who know its administrator password
Uninstall the software. We tested the uninstaller and found that it
Appears to upgrade tively remove Green Dam from the computer. However,
It fails to remove some log files, so evidence of users 'activity
Remains hidden on the system.

In light of the serous Vulnerabilities
We outlined above, the surest way for users to protect themselves is
ToRemove the software immediately
Using its uninstall function.

Conclusion

Our brief testing proves that Green Dam contains very serious
Security Vulnerabilities. Unfortunately, these problems seem
Reflect systemic flaws in the Code. The software makes extensive use
Of programming techniques that are known to be unsafe, such
Deprecated C string processing functions includingSprintf
And
Fscanf
. These problems are compounded by the design of
Program, which creates a large attack surface: Since Green Dam Filters
And processes all Internet traffic, large parts of its code are
Exposed to attack.

If Green Dam is deployed in its current form, it will significantly
Weaken China's computer security. While the flaws we discovered can
Be quickly patched, correcting all the problems in the Green Dam
Software will likely require extensive rewriting and thorough testing.
This will be difficult to achieve before China's July 1 deadline
Deploying Green Dam nationwide.

Additional screenshot

Users can configure which categories of web sites are blocked by Green Dam.
Additional filters are used to block adult and politically-sensitive terms in text entry fields.

Acknowledgments

We wish to thank our colleagues at the University of Michigan who
Alerted us to Green Dam and stored ed with translation.

Contacting the authors

Please send questions or comments to partition sor J. Alex halderman
.