Insecure Defaults In PPLiveAV Client
====================================

The Great Firewall is full of holes.

>From http://www.synacast.com/en/ ...

"PPLive has more than 200 million user installations and its active
monthly user base (as of Dec 2010) is 104 million, i.e, PPLive has a 43%
penetration of Chinese internet users. With its innovative user
experiences, such as live chatting, and SNS, average viewing time per
person per day has reach over 2 hours and 30 minutes, the highest
stickiness among all China websites."

The Intro
=========
Anyone who has followed public proxy lists in the past year has noticed
there are thousands of new open proxies listening on port 9415 listed
every day.  In the past year I have documented over 394,000 port 9415
proxies from these public lists.  Geolocation of the IP addresses
indicates they are widespread mostly in China but also in Taiwan, Macau,
Hong Kong, and pockets of the US where Chinese is likely to be spoken.

I initially suspected some kind of malware.  Finding nothing in Google
(searching for 9415 will get you a lot of proxy lists), I eventually
started searching Baidu.  The results were immediate.

These proxies are built into the PPLiveAV client to retrieve an internal
PAC (proxy autoconfiguration) file from the following URL:

http://localhost:9415/tudouva.pac

Replacing "localhost" with the IP of an active port 9415 proxy (if you
can find one) will get you the PAC file, shown below:

function FindProxyForURL(url, host){
    if(isPlainHostName(host) || url.substring(0,5) != "http:" ||
shExpMatch(url,"http://localhost:*") ||
shExpMatch(url,"http://127.0.0.1:*"))
  return "DIRECT";
         
    if(shExpMatch(url, "*.flv*")  ||  shExpMatch(url, "*.mp4*")  || 
shExpMatch(url, "*.m4v*")  ||  shExpMatch(url, "*.f4v*")) 
      {
   if(shExpMatch(url, "*hzplayer0.tudou.com*"))
     return "DIRECT";
       else   
         return "PROXY 127.0.0.1:9415"; 
      }
    else
  return "DIRECT";
}

Obviously, the proxy should be listening on 127.0.0.1 only, but in
practice it listens on all interfaces.


The Outro
=========
It looks like there are 200 million open proxies in China, thanks to
this software.  Pick a Chinese IP address, scan for port 9415.  You'll
get one sooner or later.  I don't consider this a 0day, since it's been
going on for over a year.  Responsible disclosure?  meh.  A little late
for that.

The fact is, they're pretty crappy proxies.


More Info
=========
http://proxyobsession.net/?p=1534


More Proxies
============
http://www.mrhinkydink.com/proxies.htm