Description: A bug in Chinese video streaming software leads to mass open proxies on the web.

Introduction

A security blogger has uncoverd a flaw in the Chinese PPLive video streaming software. A new port, TCP port 9415, was appearing regularly on websites that list open proxies. Most of these open proxies were based in China. However, some were also based within Taiwan, Hong Kong and there were small a small number within the United States. Within a year, more than 394,000 instances of open proxies listed with the TCP port 9415 being open were documented.

There was reason to suspect some kind of malware at play. English speaking websites offered little information, Hinky Dink, the blogger who uncoverd the open proxy port, started searching Chinese speaking websites such as Baidu with the help of translation software.

We will look at how the flaw was found, what proxies are and how they are used on the internet today.

PPLive Open Proxy Vulnerability

After further research, the flaw seemed to be associated with a piece of software called PPLive developed by a Chinese company called PPLive, Inc.

According to the PPLive, Inc official website, “PPTV online TV gains its popularity among netizens and is the world’s mostly installed streaming media software for online TV. It supports “live + on demand” function of massive HD video programs. It is available for viewing online entertainment video such as the film, TV drama, cartoon, variety show, sports live, e-games and financial information. Through advanced transmission technology of P2P, customers could enjoy the perfect experience of more viewers more fluent.”

http://www.synacast.com/article/29/

A quick whois on the synacast.com domain reveals it is owned by the Synacast Corporation based in Shangha Shi (Shanghai), China.

The PPLive client expected a PAC (proxy auto-configuration) file from its localhost (127.0.0.1). The PAC file is a JavaScript file originally designed by Netscape to enable web browsers to automatically choose the appropriate server when fetching a given URL.

The URL would have looked like the following:

http://localhost:9415/tudouva.pac

The pac file name ‘todouva’ refers to a ‘youtube style’ chinese site located at, http://www.tudou.com
The ‘tudouva.pac’ file contains the following source code:

--------------------------------------------------------------------------------------------------------
function FindProxyForURL(url, host)
{
if(isPlainHostName(host) || url.substring(0,5) != "http:" || shExpMatch(url,"http://localhost:*") || shExpMatch(url,"http://127.0.0.1:*") || shExpMatch(url, "*igrft=*"))
return "DIRECT";
if(shExpMatch(url, "*.flv*") || shExpMatch(url, "*.mp4*") || shExpMatch(url, "*.m4v*") || shExpMatch(url, "*.f4v*"))
{
if(shExpMatch(url, "*hzplayer0.tudou.com*"))
return "DIRECT";
else
return "PROXY 127.0.0.1:9415";
}
else
return "DIRECT";
}
--------------------------------------------------------------------------------------------------------

Screenshot of ‘tudouva.pac’ file loaded in a browser:

The TCP port 9415 should in fact be restricted to only accept connections from its localhost (127.0.0.1) where in reality it accepts connections from anywhere (0.0.0.0). This allows for the server to be used as an open proxy and used by anyone knowing its IP address and port.

What are Proxies?

An ‘open proxy server’ (there are other types) is software which accepts connections and forwards them onto their destinations while at the same time sending the destinations response back to the originator. The most common type of proxy is a web proxy, sending and receiving HTTP/s and sometimes FTP communications.

No Proxy Server


The above image illustrates a normal simplified TCP connection from a client to a remote server.

Proxy Server


The above image illustrates a simplified TCP connection from a client to a remote server with the use of an open proxy server. As you can see from the illustration there is a ‘middle man’ which acts as our proxy server.

Proxy servers have many uses in the security field. They are mainly used to hide the originators’ identity, implement access controls, bypass access controls or to monitor traffic. The most valuable use of an open proxy server to the ‘average Joe’ is to hide one’s identity and place of origin.

Normally open proxy servers can be found on extensive lists which are hosted on various websites online. The proxies are normally categorized as follows (names may vary):

  • Transparent Proxy — The originator’s IP address is forwarded within the X-Forwarded-For (XFF) HTTP header. This kind of proxy is not good if you wish to hide your identity or location. It does not necessarily mean the destination server is logging the X-Forwarded-For HTTP header, but you never know.
  • Anonymous Proxy — The originator’s IP address is not stored or forwarded by the proxy server however the proxy server logs that a proxy connection took place. This type of proxy is (in most cases) useful for hiding your identity or location.
  • Elite Proxy — The originator’s IP address as well as the fact that proxy was used is not stored by the proxy server. This type of proxy is the preferred proxy when hiding one’s identity or location.

Using Open Proxy Servers

Please note that depending on the country you reside in, or the country the proxy server resides in, using proxy servers may be illegal. Please take the time to research the legalities of using third-party proxy servers before using them. Another danger to be aware of when using open proxy servers is that they may be logging all traffic which passes through them. It is not advisable that you do online banking, shopping, email, etc, when using proxies.

Once you are sure it is legal to do so, the first step is to find a proxy. The best place to do so is on an online proxy list or to search for them by yourself.

To search for them yourself, you can do so by using the Nmap port scanner (http://nmap.org/) as illustrated below: (nmap -p 9415 chinese_ip_range)

Hinky Dink has his own website which he hosts proxy lists on, his website can be found here: http://www.mrhinkydink.com/proxies.htm



Once you have chosen a proxy, find the connection settings within your browsers preference settings. Below is a screenshot of a Firefox browser configured with a proxy server.

After clicking ‘OK’ and browsing to http://www.whatismyip.com, you can see that the browser is connecting via the ’123.145.113.242:9415′ proxy server. As illustrated in the below screenshot:

As well as using your own proxies, you can also use ‘Tor’ by The Tor Project. Tor is multi-platform free and open source software designed to keep you anonymous online.

“Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the US Naval Research Laboratory It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications. Today, it is used every day for a wide variety of purposes by normal people, the military, journalists, law enforcement officers, activists, and many others.”

For further information on The Tor Project please visit, https://www.torproject.org

Conclusion

According to the official PPLive website, “PPLive has more than 200 million user installations”. If this is true there are possibly the same number of open proxies which can be used within China. If there are so many open proxies within China, can you really blame the next attack on your server which came from a Chinese IP address as being by a Chinese citizen? I think not.

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

What implications does this have on the ‘Great Firewall of China’? It certainly won’t help the Chinese government in censoring its citizens.

I haven’t used PPLive myself so I am not sure if there is an easy fix to the open proxy problem. It could be just a case of ticking a checkbox in its management interface, or setting up a firewall rule to only allow connection to TCP port 9415 from the localhost.

Further Reading:

http://mrhinkydink.blogspot.com/2011/04/insecure-defaults-in-ppliveav-client.html

http://www.securityfocus.com/bid/47508/info