lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20110419170808.5e40dfa8b2f4f620cdf199af6efb8890.0175f26d83.wbe@email02.secureserver.net>
Date: Tue, 19 Apr 2011 17:08:08 -0700
From: <dink@...inkydink.com>
To: "full disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: Insecure Defaults In PPLiveAV Client


Insecure Defaults In PPLiveAV Client
====================================

The Great Firewall is full of holes.

>>From http://www.synacast.com/en/ ...

"PPLive has more than 200 million user installations and its active
monthly user base (as of Dec 2010) is 104 million, i.e, PPLive has a 43%
penetration of Chinese internet users. With its innovative user
experiences, such as live chatting, and SNS, average viewing time per
person per day has reach over 2 hours and 30 minutes, the highest
stickiness among all China websites."

The Intro
=========
Anyone who has followed public proxy lists in the past year has noticed
there are thousands of new open proxies listening on port 9415 listed
every day.  In the past year I have documented over 394,000 port 9415
proxies from these public lists.  Geolocation of the IP addresses
indicates they are widespread mostly in China but also in Taiwan, Macau,
Hong Kong, and pockets of the US where Chinese is likely to be spoken.

I initially suspected some kind of malware.  Finding nothing in Google
(searching for 9415 will get you a lot of proxy lists), I eventually
started searching Baidu.  The results were immediate.

These proxies are built into the PPLiveAV client to retrieve an internal
PAC (proxy autoconfiguration) file from the following URL:

http://localhost:9415/tudouva.pac

Replacing "localhost" with the IP of an active port 9415 proxy (if you
can find one) will get you the PAC file, shown below:

function FindProxyForURL(url, host){
    if(isPlainHostName(host) || url.substring(0,5) != "http:" ||
shExpMatch(url,"http://localhost:*") ||
shExpMatch(url,"http://127.0.0.1:*"))
	return "DIRECT";
 				
    if(shExpMatch(url, "*.flv*")  ||  shExpMatch(url, "*.mp4*")  || 
shExpMatch(url, "*.m4v*")  ||  shExpMatch(url, "*.f4v*")) 
      {
	 if(shExpMatch(url, "*hzplayer0.tudou.com*"))
	   return "DIRECT";
       else 	
         return "PROXY 127.0.0.1:9415"; 
      }
    else
	return "DIRECT";
}

Obviously, the proxy should be listening on 127.0.0.1 only, but in
practice it listens on all interfaces.


The Outro
=========
It looks like there are 200 million open proxies in China, thanks to
this software.  Pick a Chinese IP address, scan for port 9415.  You'll
get one sooner or later.  I don't consider this a 0day, since it's been
going on for over a year.  Responsible disclosure?  meh.  A little late
for that.

The fact is, they're pretty crappy proxies.


More Info
=========
http://proxyobsession.net/?p=1534


More Proxies
============
http://www.mrhinkydink.com/proxies.htm



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ