• 25,450
  • +1,014
  • 2,796
Insecure Defaults Lead to Mass Open Proxies in China

Insecure Defaults Lead to Mass Open Proxies in China

Bookmark

Description: A bug in Chinese video streaming software leads to mass open proxies on the web.

Introduction

A security blogger has uncoverd a flaw in the Chinese PPLive video streaming software. A new port, TCP port 9415, was appearing regularly on websites that list open proxies. Most of these open proxies were based in China. However, some were also based within Taiwan, Hong Kong and there were small a small number within the United States. Within a year, more than 394,000 instances of open proxies listed with the TCP port 9415 being open were documented.

There was reason to suspect some kind of malware at play. English speaking websites offered little information, Hinky Dink, the blogger who uncoverd the open proxy port, started searching Chinese speaking websites such as Baidu with the help of translation software.

We will look at how the flaw was found, what proxies are and how they are used on the internet today.

PPLive Open Proxy Vulnerability

After further research, the flaw seemed to be associated with a piece of software called PPLive developed by a Chinese company called PPLive, Inc.

According to the PPLive, Inc official website, “PPTV online TV gains its popularity among netizens and is the world’s mostly installed streaming media software for online TV. It supports “live + on demand” function of massive HD video programs. It is available for viewing online entertainment video such as the film, TV drama, cartoon, variety show, sports live, e-games and financial information. Through advanced transmission technology of P2P, customers could enjoy the perfect experience of more viewers more fluent.”

http://www.synacast.com/article/29/

A quick whois on the synacast.com domain reveals it is owned by the Synacast Corporation based in Shangha Shi (Shanghai), China.

The PPLive client expected a PAC (proxy auto-configuration) file from its localhost (127.0.0.1). The PAC file is a JavaScript file originally designed by Netscape to enable web browsers to automatically choose the appropriate server when fetching a given URL.

The URL would have looked like the following:

http://localhost:9415/tudouva.pac

The pac file name ‘todouva’ refers to a ‘youtube style’ chinese site located at, http://www.tudou.com
The ‘tudouva.pac’ file contains the following source code:

function FindProxyForURL(url, host)
{
if(isPlainHostName(host) || url.substring(0,5) != "http:" || shExpMatch(url,"http://localhost:*") || shExpMatch(url,"http://127.0.0.1:*") || shExpMatch(url, "*igrft=*"))
return "DIRECT";
if(shExpMatch(url, "*.flv*") || shExpMatch(url, "*.mp4*") || shExpMatch(url, "*.m4v*") || shExpMatch(url, "*.f4v*"))
{
if(shExpMatch(url, "*hzplayer0.tudou.com*"))
return "DIRECT";
else
return "PROXY 127.0.0.1:9415";
}
else
return "DIRECT";
}

The TCP port 9415 should in fact be restricted to only accept connections from its localhost (127.0.0.1) where in reality it accepts connections from anywhere (0.0.0.0). This allows for the server to be used as an open proxy and used by anyone knowing its IP address and port.

What are Proxies?

An ‘open proxy server’ (there are other types) is software which accepts connections and forwards them onto their destinations while at the same time sending the destinations response back to the originator. The most common type of proxy is a web proxy, sending and receiving HTTP/s and sometimes FTP communications.

No Proxy Server

No Proxy

The above image illustrates a normal simplified TCP connection from a client to a remote server.

Proxy Server

Via Proxy

The above image illustrates a simplified TCP connection from a client to a remote server with the use of an open proxy server. As you can see from the illustration there is a ‘middle man’ which acts as our proxy server.

Proxy servers have many uses in the security field. They are mainly used to hide the originators’ identity, implement access controls, bypass access controls or to monitor traffic. The most valuable use of an open proxy server to the ‘average Joe’ is to hide one’s identity and place of origin.

Normally open proxy servers can be found on extensive lists which are hosted on various websites online. The proxies are normally categorized as follows (names may vary):

  • Transparent Proxy — The originator’s IP address is forwarded within the X-Forwarded-For (XFF) HTTP header. This kind of proxy is not good if you wish to hide your identity or location. It does not necessarily mean the destination server is logging the X-Forwarded-For HTTP header, but you never know.
  • Anonymous Proxy — The originator’s IP address is not stored or forwarded by the proxy server however the proxy server logs that a proxy connection took place. This type of proxy is (in most cases) useful for hiding your identity or location.
  • Elite Proxy — The originator’s IP address as well as the fact that proxy was used is not stored by the proxy server. This type of proxy is the preferred proxy when hiding one’s identity or location.

Using Open Proxy Servers

Please note that depending on the country you reside in, or the country the proxy server resides in, using proxy servers may be illegal. Please take the time to research the legalities of using third-party proxy servers before using them. Another danger to be aware of when using open proxy servers is that they may be logging all traffic which passes through them. It is not advisable that you do online banking, shopping, email, etc, when using proxies.

Once you are sure it is legal to do so, the first step is to find a proxy. The best place to do so is on an online proxy list or to search for them by yourself.

To search for them yourself, you can do so by using the Nmap port scanner (http://nmap.org/) as illustrated below: (nmap -p 9415 chinese_ip_range)

Nmapping Chinese IP Range

Hinky Dink has his own website which he hosts proxy lists on, his website can be found here: http://www.mrhinkydink.com/proxies.htm

Conclusion

According to the official PPLive website, “PPLive has more than 200 million user installations”. If this is true there are possibly the same number of open proxies which can be used within China. If there are so many open proxies within China, can you really blame the next attack on your server which came from a Chinese IP address as being by a Chinese citizen? I think not.

What implications does this have on the ‘Great Firewall of China’? It certainly won’t help the Chinese government in censoring its citizens.

I haven’t used PPLive myself so I am not sure if there is an easy fix to the open proxy problem. It could be just a case of ticking a checkbox in its management interface, or setting up a firewall rule to only allow connection to TCP port 9415 from the localhost.

Further Reading:

http://mrhinkydink.blogspot.com/2011/04/insecure-defaults-in-ppliveav-client.html

http://www.securityfocus.com/bid/47508/info

From : infosecinstitute.com

Hmmm….it seems not a good news, 🙁 because I think this PPLive is packed with Kugou and other progam, and also this application is very famous too in China.

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com