Saturday, April 23, 2011

Insecure Defaults In PPLiveVA Client

Insecure Defaults In PPLiveVA Client
====================================

The Great Firewall is full of holes.

From http://www.synacast.com/en/ ...

"PPLive has more than 200 million user installations and its active monthly user base (as of Dec 2010) is 104 million, i.e, PPLive has a 43% penetration of Chinese internet users. With its innovative user experiences, such as live chatting, and SNS, average viewing time per person per day has reach over 2 hours and 30 minutes, the highest stickiness among all China websites."

The Intro
=========
Anyone who has followed public proxy lists in the past year has noticed there are thousands of new open proxies listening on port 9415 listed every day. In the past year I have documented over 394,000 port 9415 proxies from these public lists. Geolocation of the IP addresses indicates they are widespread mostly in China but also in Taiwan, Macau, Hong Kong, and pockets of the US where Chinese is likely to be spoken.

I initially suspected some kind of malware. Finding nothing in Google (searching for 9415 will get you a lot of proxy lists), I eventually started searching Baidu. The results were immediate.

These proxies are built into the PPLiveVA client to retrieve an internal PAC (proxy autoconfiguration) file from the following URL:

http://localhost:9415/tudouva.pac

Replacing "localhost" with the IP of an active port 9415 proxy (if you can find one) will get you the PAC file, shown below:

function FindProxyForURL(url, host){
if(isPlainHostName(host) || url.substring(0,5) != "http:" || shExpMatch(url,"http://localhost:*") || shExpMatch(url,"http://127.0.0.1:*"))
return "DIRECT";
if(shExpMatch(url, "*.flv*") || shExpMatch(url, "*.mp4*") || shExpMatch(url, "*.m4v*") || shExpMatch(url, "*.f4v*"))
{
if(shExpMatch(url, "*hzplayer0.tudou.com*"))
return "DIRECT";
else
return "PROXY 127.0.0.1:9415";
}
else
return "DIRECT";
}

Obviously, the proxy should be listening on 127.0.0.1 only, but in practice it listens on all interfaces.

The Outro
=========
It looks like there are 100 million open proxies in China, thanks to this software. Pick a Chinese IP address, scan for port 9415. You'll get one sooner or later. I don't consider this a 0day, since it's been going on for over a year. Responsible disclosure? meh. A little late for that.

The fact is, they're pretty crappy proxies.

More Info
=========
http://proxyobsession.net/?p=1534

More Proxies
============
http://www.mrhinkydink.com/proxies.htm

Originally published 04/19/2011

4 comments:

  1. Anonymous10:26 AM

    Interesting article. Would you like to share what you found with a wider audience? If you can write up a tutorial on setting up your browser up to use one of these proxies, we would publish it on our site: resources.infosecinstitute.com. Some of our articles have been picked up by national and interenational new sites like The Register.

    If you are interested, and get me 1,000 to 1,500 words by Wednesday drop me a line at Terrence.Miltner@infosecinstitute.com

    ReplyDelete
  2. The port 9415 proxies are notoriously bad and it's difficult to find one that's active for any significant amount of time, so it really wouldn't be of much use to your readers.

    Thanks for asking!

    ReplyDelete
  3. Anonymous11:02 AM

    With the numbers that are out there, they don't have to be active for too long.

    I missed your comment after mine. Drop me an email, we'd love to talk about having you contribute to our website if you run across any other interesting vulnerabilities. Terrence

    ReplyDelete
  4. Terrence, take a look sometime at the Koobface Report that's linked off the proxy list. It's a parody of a Symantec "white paper" that came out last year, but it's all based on my work with anonymous proxies. That's the kind of shit you can get away with as an anonymous blogger.

    You can have fun most of the time, and Get Serious when you need to. I liked what Dewey did with his 9415 article, but it's not my style.

    And I do appreciate the attribution and the links. It's a shame it was such a busy security news week. On a slower week the story could have had legs. Oh, well.

    Thanks again for your consideration.

    ReplyDelete