As of June 1st, the Chinese government demands every personal computer in China to install or be sold with Green Dam Youth Escort Censorware program. Three security researchers – Scott Wolchok, Randy Yao, and J. Alex Halderman from University of Michigan have released an analysis of the Green Dam Censorware system, disclosing multiple vulnerabilities and weaknesses in it. You can read the whole story in the ZDNet Zero Day blog.
The vendor, Jinhui Computer System Engineering Ltd., already patched the vulnerabilities but you can still find vulnerable installations with Google if you want to test it.
One of the vulnerabilities disclosed in the security analysis is a remotely exploitable stack-based buffer overflow vulnerability in the way Green Dam process overly long URLs (OSVDB 55126). seer[N.N.U] posted a simple exploit for this vulnerability on milw0rm.
And here, I wrote a Metasploit exploit module for Internet Explorer which exploits this stack-based buffer overflow vulnerability in Green Dam 3.17. This module uses the .NET DLL memory technique by Alexander Sotirov and Mark Dowd and should bypass DEP, NX and ASLR.
I’ve tested this exploit successfully on the following platforms:
– Internet Explorer 6, Windows XP SP2
– Internet Explorer 7, Windows XP SP3
– Internet Explorer 7, Windows Vista SP1
Download greendam_url.rb.
Also on Metasploit and milw0rm.
References:
OSVDB 55126
According to the latest Microsoft Security Intelligence Report, China is the world leading country in Malware distribution so I guess they deserve some pwning :P
Categories: Exploits, Metasploit
9 Comments | 
Comments RSS | 
TrackBack URL
RSS 2.0
ATOM 1.0
RDF 1.0
Links OPML
OpenSearch
i downloaded greendam from lssw365 site (version 3.17) and can’t reproduce the bug, no access violation or any kind of exception occurs.
and another question, in the exploit, why the .net binary loads to image base 0×24240000 ?
The software was silently patched the vendor on June 13. Still version 3.17 and with no public notice.
But, the vulnerability can be leveraged in different ways, see – http://www.cse.umich.edu/~jhalderm/pub/gd/#add1
The .NET binary is loaded to 0×24240000 because the return address is overwritten with $$$$, == 0×24242424.
[...] However, not only is the latest Green Dam v3.17 version still vulnerable to remotely exploitable flaws, but also, for over a week now a working zero day exploit (Exploit.GreenDam!IK; W32/GreenDam.A) has been circulating in the wild. [...]
Le logiciel de filtrage pornographique du gouvernement chinois est vuln?rable…
La France avec ses ~65 millions d’habitants compte ~33 millions d’internautes. Derni?rement, la loi aux multiples noms HADOPI, LCI, OLIVENNES… a ?t? s?rieusement perturb?e par la d?cision (n° 2009-580) du Conseil Constitutionnel ; les …
[...] Windows XP SP3 sowie IE7 und Windows Vista SP1 getestet”, schreibt der Sicherheitsforscher in einem Blogeintrag. .story .element .tags { color: #666666; font-size: 11px; vertical-align: middle; } Tags: [...]
Hey, GJ on the vlc bug ;-) started releasing bugs recently ?
@spdr Thanks bro’!
A fully working exploit will be posted soon.
[...] Recognize-Security | Green Dam URL Processing Buffer Overflow … [...]
Wow, this one is more complete~
I posted the original exploit and was warned 1 week later…T_T
Fortunately, Green Dam is not likely to be mandatory install until today. It` a joke, just a joke ;-)