Insecure Defaults In PPLiveAV Client ==================================== The Great Firewall is full of holes. >From http://www.synacast.com/en/ ... "PPLive has more than 200 million user installations and its active monthly user base (as of Dec 2010) is 104 million, i.e, PPLive has a 43% penetration of Chinese internet users. With its innovative user experiences, such as live chatting, and SNS, average viewing time per person per day has reach over 2 hours and 30 minutes, the highest stickiness among all China websites." The Intro ========= Anyone who has followed public proxy lists in the past year has noticed there are thousands of new open proxies listening on port 9415 listed every day. In the past year I have documented over 394,000 port 9415 proxies from these public lists. Geolocation of the IP addresses indicates they are widespread mostly in China but also in Taiwan, Macau, Hong Kong, and pockets of the US where Chinese is likely to be spoken. I initially suspected some kind of malware. Finding nothing in Google (searching for 9415 will get you a lot of proxy lists), I eventually started searching Baidu. The results were immediate. These proxies are built into the PPLiveAV client to retrieve an internal PAC (proxy autoconfiguration) file from the following URL: http://localhost:9415/tudouva.pac Replacing "localhost" with the IP of an active port 9415 proxy (if you can find one) will get you the PAC file, shown below: function FindProxyForURL(url, host){ if(isPlainHostName(host) || url.substring(0,5) != "http:" || shExpMatch(url,"http://localhost:*") || shExpMatch(url,"http://127.0.0.1:*")) return "DIRECT"; if(shExpMatch(url, "*.flv*") || shExpMatch(url, "*.mp4*") || shExpMatch(url, "*.m4v*") || shExpMatch(url, "*.f4v*")) { if(shExpMatch(url, "*hzplayer0.tudou.com*")) return "DIRECT"; else return "PROXY 127.0.0.1:9415"; } else return "DIRECT"; } Obviously, the proxy should be listening on 127.0.0.1 only, but in practice it listens on all interfaces. The Outro ========= It looks like there are 200 million open proxies in China, thanks to this software. Pick a Chinese IP address, scan for port 9415. You'll get one sooner or later. I don't consider this a 0day, since it's been going on for over a year. Responsible disclosure? meh. A little late for that. The fact is, they're pretty crappy proxies. More Info ========= http://proxyobsession.net/?p=1534 More Proxies ============ http://www.mrhinkydink.com/proxies.htm