Search...

A bug in Chinese video streaming software leads to mass open proxies on the web

A bug in Chinese video streaming software leads to mass open proxies on the web

A security blogger has uncoverd a flaw in the Chinese PPLive video streaming software. A new port, TCP port 9415, was appearing regularly on websites that list open proxies. Most of these open proxies were based in China. However, some were also based within Taiwan, Hong Kong and there were small a small number within the United States. Within a year, more than 394,000 instances of open proxies listed with the TCP port 9415 being open were documented.

There was reason to suspect some kind of malware at play. English speaking websites offered little information, Hinky Dink, the blogger who uncoverd the open proxy port, started searching Chinese speaking websites such as Baidu with the help of translation software.

PPLive Open Proxy Vulnerability

After further research, the flaw seemed to be associated with a piece of software called PPLive developed by a Chinese company called PPLive, Inc.

According to the PPLive, Inc official website, “PPTV online TV gains its popularity among netizens and is the world’s mostly installed streaming media software for online TV. It supports “live + on demand” function of massive HD video programs. It is available for viewing online entertainment video such as the film, TV drama, cartoon, variety show, sports live, e-games and financial information. Through advanced transmission technology of P2P, customers could enjoy the perfect experience of more viewers more fluent.

http://www.synacast.com/article/29/

A quick whois on the synacast.com domain reveals it is owned by the Synacast Corporation based in Shangha Shi (Shanghai), China.

The PPLive client expected a PAC (proxy auto-configuration) file from its localhost (127.0.0.1). The PAC file is a JavaScript file originally designed by Netscape to enable web browsers to automatically choose the appropriate server when fetching a given URL.

The URL would have looked like the following:

http://localhost:9415/tudouva.pac

The pac file name ‘todouva’ refers to a ‘youtube style’ chinese site located at, http://www.tudou.com
The ‘tudouva.pac’ file contains the following source code:

pplive source code

Screenshot of ‘tudouva.pac’ file loaded in a browser:

pplive browser

The TCP port 9415 should in fact be restricted to only accept connections from its localhost (127.0.0.1) where in reality it accepts connections from anywhere (0.0.0.0). This allows for the server to be used as an open proxy and used by anyone knowing its IP address and port.

What are Proxies?

An ‘open proxy server’ (there are other types) is software which accepts connections and forwards them onto their destinations while at the same time sending the destinations response back to the originator. The most common type of proxy is a web proxy, sending and receiving HTTP/s and sometimes FTP communications.

Proxy servers have many uses in the security field. They are mainly used to hide the originators’ identity, implement access controls, bypass access controls or to monitor traffic. The most valuable use of an open proxy server to the ‘average Joe’ is to hide one’s identity and place of origin.

Normally open proxy servers can be found on extensive lists which are hosted on various websites online. The proxies are normally categorized as follows (names may vary):

  • Transparent Proxy — The originator’s IP address is forwarded within the X-Forwarded-For (XFF) HTTP header. This kind of proxy is not good if you wish to hide your identity or location. It does not necessarily mean the destination server is logging the X-Forwarded-For HTTP header, but you never know.
     
  • Anonymous Proxy — The originator’s IP address is not stored or forwarded by the proxy server however the proxy server logs that a proxy connection took place. This type of proxy is (in most cases) useful for hiding your identity or location.
     
  • Elite Proxy — The originator’s IP address as well as the fact that proxy was used is not stored by the proxy server. This type of proxy is the preferred proxy when hiding one’s identity or location.

Using Open Proxy Servers

Please note that depending on the country you reside in, or the country the proxy server resides in, using proxy servers may be illegal. Please take the time to research the legalities of using third-party proxy servers before using them. Another danger to be aware of when using open proxy servers is that they may be logging all traffic which passes through them. It is not advisable that you do online banking, shopping, email, etc, when using proxies.

Once you are sure it is legal to do so, the first step is to find a proxy. The best place to do so is on an online proxy list or to search for them by yourself.

To search for them yourself, you can do so by using the Nmap port scanner (http://www.nmap.org/) as illustrated below: (nmap -p 9415 chinese_ip_range)

pplive nmap

Hinky Dink has his own website which he hosts proxy lists on, his website can be found here: http://www.mrhinkydink.com/proxies.htm

Once you have chosen a proxy, find the connection settings within your browsers preference settings. Below is a screenshot of a Firefox browser configured with a proxy server.

pplive firefox proxy

After clicking ‘OK’ and browsing to http://www.whatismyip.com, you can see that the browser is connecting via the ’123.145.113.242:9415′ proxy server. As illustrated in the below screenshot:

pplive ip

© 2011-2024 All rights reserved