On mySimon: Pea Coats Are Another Wardrobe Staple
BNET Business Network:
BNET
TechRepublic
ZDNet

June 24th, 2009

Remote code execution exploit for Green Dam in the wild

Posted by Dancho Danchev @ 7:52 am

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Exploit code, Governments, Hackers, Malware, Metasploit, Patch Watch, People's Republic of China, Vulnerability research, Zero-day attacks

Tags: Web, Flaw, Buffer, Web Site, Security, Viruses And Worms, Marketing, Internet, Dancho Danchev

The recently exposed as vulnerable to trivial remotely exploitable flaws Chinese censorware Green Dam, has silently patched the security flaws (China confirms security flaws in Green Dam, rushes to release a patch) outlined in the original analysis detailing the vulnerabilities.

However, not only is the latest Green Dam v3.17 version still vulnerable to remotely exploitable flaws, but also, for over a week now a working zero day exploit (Exploit.GreenDam!IK; W32/GreenDam.A) has been circulating in the wild.

Here are more details on the remote code execution flaw in the latest version:

“Green Dam intercepts Internet traffic using a library called SurfGd.dll. Even after the security patch, SurfGd.dll uses a fixed-length buffer to process web site requests, and malicious web sites can still overrun this buffer to take control of execution. The program now checks the lengths of the URL and the individual HTTP request headers, but the sum of the lengths is erroneously allowed to be greater than the size of the buffer. An attacker can compromise the new version by using both a very long URL and a very long “Host” HTTP header. The pre-update version 3.17, which we examined in our original report, is also susceptible to this attack.”

According to Green Dam’s official web site, the latest 3.17 version which still remains exploitable, has already been downloaded 426,138 times, combined with raw data on over 7,172,500 downloads of the previously vulnerable version, the current situation could easily turn the “Great Botnet of China” from theory into practice if the exploits ends up embedded within a web malware exploitation kit.

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 3 Talkback(s)
Like Windows?
If being the only target of malware made Windows stronger, why is Windows not yet invulnerable?
Are they selling Red Flag Linux PCs with Green Dam?... (Read the rest)
Posted by: epcraig Posted on: 06/25/09 You are currently: a Guest | | Terms of Use
well said  pgit | 06/24/09
It will become  zclayton3 | 06/25/09
Like Windows?  epcraig | 06/25/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here