Insecurity through Censorship: Vulnerabilities Caused by The Great Firewall, S Shah & M Gianarakis

uh right now we have a great talk um by shabam Sha and Michael uh we have insecurity through censorship vulnerabilities caused by the great firewall let's welcome them to the

stage thanks syvia uh yes so we're going to be talking about insecurity through censorship which is uh talking about some vulnerabilities and some interesting behavior and vulnerabilities that we found uh with the great f firewall of China uh for those who don't know us uh we're the co-founders of asset note tax surface management company uh here in Australia but uh let's get into the juicy stuff thanks Mike yeah so uh for us to actually understand what's going on with all of this we're going to have to uh go a little bit into how DNS Works generally but for the first section we're going to really just talk about how we discovered this DNS poisoning in the first place

thinking about DNS you have uh really four types of servers you've got the root name servers which have a static list of ips they tell us what the TLD name servers are from there the TLD name servers tell us what the authoritative name servers are and the recursive DNS servers are actually just reaching out to the authoritative name servers so this is like a very simplified um explanation of how DNS works but this is kind of the hierarchy that you should be thinking about it in but um yeah we're we're mostly going to be talking about the authoritative name servers today so if we take a look at you know what really happens in the life cycle of

a DNS uh query you've got your computer which reaches out to the recursive resolver the DNS resolver that then reaches out to the root server um which then gives us the uh the address of the TLD server and the TLD server gives us the address of the authoritative server and finally the authoritative server gives us the address of the website or whatever record type it is it resolves to what we're going to be talking about today is actually something that affects the authoritative server so DNS poisoned here and if you remember um the Snowden leaks there was a a situation where Google's traffic was being intercepted and and the SSL traffic was being removed that's where they had this snaky

little comment SSL added and removed here in this case China is poisoning the authoritative name servers um so I guess maybe the the first question is how did we come across this well it was 2021 and we started noticing that there was a lot of domains with the CN suffix that were returning really bizarre results you know initially our minds jumped to the fact that maybe this is just because of unreliable DNS resolution and we suspected that maybe the resolvers themselves were not responding consistently to our requests you know we asked ourselves is this something that is just due to inconsistent DNS load balancing or is this a problem with the resolver um but given that we do

hundreds of millions of resolutions a day we we didn't really initially conclude that this issue was as widespread as it was um we initially just built some logic to filter out some of these error error inous um resolutions but you know we started thinking is there something more nefarious going on here you know as time time went on um we saw these oddd DNS resolution behavior on more and more domains some that didn't even have the CN suffix um so yeah these these DNS resolutions were all leading back to seemingly random IP addresses which kind of perplexed us even more um we started investigating this and you know we we found that these random IPS um were

coming really from the authoritative name servers um but we asked ourselves um did this issue affect anything more more than CN suffix and you know what was the Common Thread here what what led to this um DNS poisoning that we were seeing so we started debugging this we started looking at the responses coming back from some of these resolutions um just to see exactly where this was coming from we started asking ourselves is this with the recursive resolver or the authoritative resolver and we can see that as we walked uh the resolution tree the the fully qualified domain name delegated its name service to Alibaba dns.com um so you can see here that this specific DNS record um returned an IP

address and that was being served by ns2 albaba DNS uh.com um we we tried to do multiple different resolutions to see like how consistent this was and it turns out that it was pretty consistent just doing 10 resolutions almost half of them were were were returning IP addresses that were unexpected um but yeah this was really unreliable unstable DNS resolution but it was definitely some level of poisoning going on and yeah we started digging a bit deeper um trying to create a minimally reproducible example and we managed to distill it down to um any DNS query um specifically including the word webproxy doid later we found out there's actually a really large list of keywords that

leads to this DNS poisoning but you can see here we've done um we're just doing the Dig command with web proxy.sh Alibaba dns.com and we're seeing that a lot of these um a lot of these s returned seemingly are poisoned in some respect yeah we we also suspected that this was um isolated to a single DNS resolver we thought that okay this might just be Alibaba or something like that but uh we actually found that this was affecting a lot lot more than we initially thought and even Cloud flare which is a company that you know seemingly thinks of security in high respects was also vulnerable to the same DNS poisoning attack um so yeah even

even with Cloud flare you still get your uh DNS queries po poisoned and we could confirm that these keywords were actually the reason that this poisoning was taking place because we tried to um get records back for we proxy versus web proxy and we would see that only when web

question was this an issue with the recursive resolver or the authoritative resolver well you know not not really either but something's really really fishy at the authoritative name server level itself um if we attempt to even resolve an entirely madeup domain against Cloud players resolvers with one of the keywords that that we found leads to the poisoning we still get a response which means that uh whatever is doing this filtering or poisoning is quite greedy uh and it doesn't really matter if the domain even exists so um now that we've kind of uh identified that it's the authoritative name service that is co that is being poisoned the responses from them we wanted to understand what IPS do is it

resolving to like is there a pattern in these IPS um what is what exactly is triggering this poisoning and like what what is actually going on here really well we found that there's actually a large list of keywords that trigger this poisoning and you can see some of these keywords here um and you can start noticing a little bit of a and a lot of these keywords seem to be you know somewhat related to what you'd expect to be censored inside China um we have a full list of the DNS posing keywords as well on our blog but we worked with another researcher Eric who had come across this issue independently as well and he also shared a list of

keywords he had identified that leads to this poisoning and then the question about what IPS do these resolve to well actually it's a huge list of networks over here you can see obviously some really large networks like cloud Twitter and Dropbox but really it was a very diverse set of ips and all of these IPS um you know the diversity here is actually one of the reasons why this issue is readily exploitable in many ways as well so what we learned from all of this is that um we confirmed that any domain that is using a name server hosted inside China was susceptible to DNS poisoning happening within China before it reaches the rest of the world from

our rough statistics there's approximately 30 million domains alone in the CN CLD cctld and uh this issue is a bit more widespread than that because actually you can have name servers hosted in China without having the CN cctld so it may exceed that number and it doesn't matter if you use Alibaba or Cloud play or you know any of the other providers as long as the name servers are actually hosted in China the DNS responses are being poisoned so uh naturally what we thought uh coming from an offensive security background is what can we do from an offensive security perspective now that we have this information so the next section I'm going to be talking a little bit about how we

exploited the client side now knowing that we have DNS poisoning on 30 million domains um the first concept is really just taking advantage of the syn hols we know that from our investigation there's a number of different networks that these users are syn to and this is a really diverse set of networks many being cdns like fley or hosting providers and others being outright odd like Twitter and meta but we discovered that we could take advantage of these networks um these DNS records point to uh in order to host our own arbitrary content on any vulnerable domain this means that we can perform client side attacks on the 30 million domains I mentioned um and we we're going to

discuss two specific attack vectors with PC's to exploit this relationship so the first thing is going through how fastly Works um fastly is a CDN if you point a subdomain to fastly but you don't register it inside fastly you get this neat error message that just tells us that this domain is not registered um so naturally you can understand that if we're able to worse you know any domain to go to a fastly IP address we may be able to just register it on fastly and then serve our own content this is pretty much perfect for our DNS poisoning attack because we can serve arbitrary content for any subdomains that trigger the poisoning so we first create a fastly

service and we add our Target / victim domain in this case I just added domain. CN we add our server IP address um and then we disabled TLS to our host just for convenience to get this service up and running on fastly and then finally we end up with an exploit that looks something like this so you can see that domain. CN is actually loading content from our website we could load anything we want like an arbitrary script or whatever it may be now this affects pretty much every CN domain on the internet at the moment so we're loading arbitrary content it could be fishing Pages could be malicious content could be you know a

script could be something even more nefarious than that such as stealing HTTP only cookies cuz you are using fasty at the end of the day and you are getting server side processing in that case so the fastly exploit um how it works is that we create a thousand random subdomains with the suffix um which which has one of the keywords that is uh leading to the uh poisoning and then we we target whatever domain we want in this case we targeted domain. CN we progressively load all of this inside image tags and we let the browser handle the DNS resolution of all these different random subdomains when an image is successfully loaded the onload Handler is triggered and then the second

stage of the exp can take place so we can we can then do whatever second stage we want which may be loading a fishing page maybe uh you know stealing cookies whatever it may be but I just want to note that even though the demo that I showed earlier was um very visible all of this can happen quite invisibly inside your browser so this is the example code I'll pause a little bit here but you can see it's quite simple um it's just doing exactly as what I mentioned it's pretty much generating those random subdomains loading them up um in a progressive Manner and using the onload Handler to uh trigger the second stage of the

exploit um all of this code is available on our blog post as well um so you can you can grab it there and this exploit code for both of our PC's there so then that that brings us to the second exploitation Vector um you know what if we weren't able to register a domain on fastly um is there something else we can do well our security research team uh in 20123 we discovered a reflected xss in C panel uh we also published the PC back then C panel is probably one of the most um popular web uh control panels out there to exist it was actually created uh the year I was born that's how old it is um and it is

basically everywhere um so if we found a single IP uh that was running C panel from The Poisoned IP list and vulnerable to this xss we now have an xss on the target victim domain susceptible to the poisoning so this is what this PC looks like um just load it up and it will progressively load C panel images and then you've got the xss firing now as I mentioned earlier this like affects 30 million domains I know it's just an xss but the scale of this is quite extreme um so you can see the xss firing multiple times across many random domains um so yeah U basically any CN domain is vulnerable to this so This the C panel exploit the way

it works is quite similar we create a thousand random subdomains with a specific prefix uh one of those will resolve to a host running C panel and the image load will confirm it and then we do the second stage of the exploit which is the xss um but yeah essentially I think the biggest take away take away from this is that any any xss on any of the synold domains or synold IPS means you've got an xss on your attack surface as well the example code again is quite similar to the previous one and will also be available in our blog post as well um now that we've gone through the two different exploitation vectors uh I

do want to spend a little bit of time talking about the limitations here um even though that this is a very wide wide impacting issue there are some major limitations on the fasty technique uh we can capture HTTP only cookies as we can run server side code that logs the cookie um but in the cpanel xss technique we can't do that because we're limited to what's accessible by the client side and we can't access those HTTP only cookies neither of these techniques can capture cookies that are have got the secure flag because we can't generate an SSL certificate on these poison subdomains um maybe it wasn't clear earlier but every time you resolve one of these poison subdomain it

returns a different IP address which means that we can't just spin up SSL certificates for any of these poisoned uh subdomains quite easily I'm sure it's possible maybe a little bit of work and exercise to the reader but account takeover attacks are still possible um if the secure flag is not used and the HTP only flag um is used and you've got a fasty exploit or it's not used and you've got the C panel exploit um for further attack vectors I think you know there's definitely a lot of potential here the synold IPS are quite extensive it's um hundreds of networks so um more exploits with claiming CDN infrastructure seems likely um more xss related exploits also seems likely um

even though we've only really uh disclosed two exploitation vectors today I'm quite certain that there are many many more um the biggest risk with this exploit is you know mainly fishing and brand defacement um using official domain names belonging to your organization and there are many many organizations that have a Chinese subsidiary or Chinese entity that are affected by these uh often even companies in Southeast Asia are using Chinese name servers to resolve their domains so there's quite a broad impact here um but yeah there are definitely more attack vectors to be found oh there we go cool so we've gone through some of the uh I guess technical exploitation that we've sort of figured

out in terms of potential attack vectors but we wanted to take a little bit of a step back and you know once we understood this you know thinking about okay why is this happening and what can we do about it um you know this came about through uh you know our development on our platform and we were observing this in in customers and tax offices so so this is you know really the Crux of you know what do we do about this so in terms of why this is happening and and you know we don't know specifics right this is all very black box but you know when you take a look at the keywords most of them are related to

you know proxies vpns you know adult sites you know sharing things like that and these are all things that are aligned uh with things that are you know China has been known to censor so um also you know putting that together with the enor enormous efforts that we know that China does undertake in terms of you know censoring the internet inside their country and preventing access to various sites um you know could this be part of that mechanism and uh and so we started to you know try develop some theories and so the leading theory is really that this is related to censorship you know with respect to the Great Wall uh firewall inside China and

and it's manipulating uh the DNS responses due to sort of these these blocked keywords or things that they want to Blacklist and censor this affects any system that has to pass through the great firewall before it reaches the end user and the client um and based on the keywords collected as I said you know in The Limited information um on on how the the sensorship censorship systems work in China this is really sort of the the leading theory for us um but there are still a number of questions that you know need to be answered at this point you know why are these subdomains appearing in passive DNS data sources and why are the poisoned responses sinkhole to random

blocks of ips all over the world rather than just syn holing it to some non-functional IP um so how did these end up in passive DNS data so so this pollution is present uh in several passive DNS data sources this means that the client um has to be resolving these in order for these to be logging uh in the passive DNS sources um uh the data is not logged for all domains so but we have noticed it on uh you know more High prile domains um and Company properties you know we suspect maybe other security researchers analyzing this issue and and uh and sort of brute forcing this stuff and and trying to figure it out as's a potential

reason for this um but this one's a the the next question is more of an interesting one is like why do the poison records not sink whole till a non-functional IP right that that would seem to be more effective with this why is it going to all this randomiz IP space which is actual stuff that's in use by other companies um and you know there's a great diversity in the networks that these uh poison records uh are pointing to um you know stuff like large social media networks Cloud platforms CDN even Rand blogs um and so our best guess is that um these synold IPS are not necessarily strategic like it's not intentional that they're pointing to

anything in in um you know anything specific um but you know given how many different networks are pointed to and a lot of what appears uh in those results are organizations that would typically own large amounts of IP address space so the idea is that it's probably pretty random um and it just happens that you know these these organizations already own large blocks of I P space um but yeah as I said you know it's kind of weird you you'd think it'd be a little bit more effective uh to just you know sink hold this uh and and you know effectively block it uh if that's the if that's the idea and so you know is it possible that

the the filters are too greedy um so you know suppose we wanted to block a specific domain such as tracker. thee piratebay.org right but instead of just blocking that very specifically maybe it's got some like broader rejects like imagining like how this might be built um and that aligns with what we're seeing coming back from the poison DNS responses right that's why we're seeing um you know poisoning for non-existent domains right you know uh it doesn't it's not necessarily um you know specific so it is it is likely some sort of greedy filtering that's going on um and uh you know it's it's most likely the reason for this poisoning um on any domain with an authoritative names Ser

hosted in China and so like while we do kind of chuckle at the fact that some engine may have designed this with you knowstar on both sides of the redx in a way this does support our Theory um that this behavior is actually driven by censorship objectives um you know essentially they're trying to block as widely as possible and and avoid vectors which you can get around it um so you know this is kind of an interesting thing like when we think about this as censorship um what's kind of interesting at the end of the day is the biggest RIS are to the users that visit domains uh with name servers hosted in China which is mostly going to

be Chinese citizens right and Chinese companies and Chinese businesses that operate there um and you know that's kind of an unfortunate sort of side effect of this but um since the poisoning is happening at at least what we suspect is the great firewall level there's not much that the users themselves can actually do to prevent these attack vectors that we've demonstrated today um the and also the other side of it as well is the list of keywords you know we've got a bunch up and we've got a bunch up on our blog um from from our research but and we could just be scratching the surface here you know um we don't know that we

necessarily have the full Corpus of what leads to uh this poisoning taking place and you know presumably if it is censorship that's driving this you know that could be changing all the time um we did explore some potentially Wilder theories you know we put our 10-fold hats on um you know like what if this is not censorship what if this is a way to facilitate a never-ending supply of rotating infrastructure to support CNC um so you know as as you guys may be aware you know often uh you know uh bad guys malware developers use rotating domains to ensure that the CNC infrastructure is is long lived um and so in this case you know with this

technique you know maybe China doesn't have to do that um uh you know where all the responses from from these name servers hosted in China are being poisoned um you know we never actually worked out uh you know the exact algorithm for for how these uh DNS resolutions are routed um so we don't know 100% if it's deterministic um but you know we're just sort of scratching the surface here and and you know I think we're just missing some knowledge we're we're keen to explore it further but you know coming back to the real world a little bit and taking our tinf hats off realistically though um you know this is not any kind of serious

Theory it's most likely based on everything that we've observed that this is actually just part of the larger uh censorship infrastructure um you know of the great firewall um so what can we do about it right and unfortunately this is not something that can be easily resolved right so there's a number of challenges when you're hosting in China right so you can't just simply I don't know if anybody's tried this but you can't simply just sign up to any kind of Chinese cloud or hosting provider even like the Chinese versions of AWS or or Azure and things like that um you know there is actually an extensive process um that's required for hosting in China

regardless of of which provider there is um and so if you wish to host uh within China or provide any sort of goods and services or have any kind of Internet presence in China you must apply for and obtain and hold a valid Chinese internet content provider license before anything can be hosted um so this was put in place a while ago um but basically every Internet Property whether it's commercial in nature or not um must have an ICP license to operate in China um and in order to run a business um and have any kind of Internet presence um you have to have this first and so there are a number of prerequisites in

requirements that you need to get this license um the first is that you must have a domain name registered with a Chinese domain name register um you must have a server located inside China and you must have a hosting provider that is licensed by the Chinese government uh so so you can't just you know you just can't rock up and and host stuff easily and so um you know this kind of makes things a little bit interesting you know so since you know this is a requirement of operating a business in China um you know it Scopes in the DNS poisoning attacks that we've demonstrated to all companies that have an internet presence in China um and

these requirements mean that even like we we spoke about before even companies like Cloud flare you know they're kind of forced to to to follow these rules um and and host their name resolution infrastructure inside China um also making them susceptible to the DNS poisoning um and all Chinese uh Communications have to go through the great firewall including any kind of critical infrastructure such as ntp Serv DNS servers things like that and so um we we also need to stress as well that the rest of the world still can and in some cases still has to communicate to this tainted infrastructure hosted in China um and so can you you know can you host name service out of China right

like that seems to be like an obvious sort of potential solution to that um but you know there's also practical concerns with this right if you're if you're looking at doing business in China having an internet presence in China you've got other considerations as well not just the security right and so if you're hosting say name servers outside of China even if you're allowed to to do that um you know you might end up with speed and reliability concerns you know and and poor user experience for uh for your customers inside China um and so um you know this just adds to to sort of the the limitations and challenges here um you know most

businesses will optimize uh for all of their Chinese web properties to be hosted as much as possible within China itself you know this is through conversations with companies that do operate there um and it's not necessarily just to stress the point just due to these requirements and these regulations but rather you know so there's reliable access so the other the other point as well to to point out that um it's not just uh you know it's not just like Chinese um uh you know citizens and wholly owned Chinese business units that are at risk here um we've seen several very large organizations who choose uh authorative name servers in China through Cloud providers like Alibaba

this is particularly present in uh southeast Asia um in particular um and then so this means in some cases non-chinese citizens are also adversely affected um by these DNS poisoning attacks and can also be targeted so this really comes down to now like how do we balance you know this is sort of the overarching theme Here how do we balance the business objectives with the security objectives you know China is a large and growing consumer market and you know it's often a very strategic business decision made at the highest levels um to to enter and operate in that market um and you know generally speaking those guys are not going to be swayed by security or

technical considerations um and so you know that gets tricky If you're sort of working at one of these organizations and you're thinking about how can I address this and mitigate this issue um you know even really large companies as we've as we've shown can't get around these strict requirements um that go hand inand with operating in China so you know let's be let's be honest here no company is going to walk away from a profitable Market just because of concerns over security you know we'd probably like that uh everybody in this room would but like you know we need to we need to operate in the real world so what can we do like what are

some of the mitigations um so the obvious one that I mentioned earlier is you know you can locate your name service out of China right um this is the most obvious and the best mitigation um and you know but it may only apply in certain instances where you don't have to adhere to some of these rules or maybe you can get around it um and as I mentioned earlier there's also the downside that it could uh affect the speed and reliability of your services uh inside China um so it's not really necessarily a reasonable option but it is the best option if if that is possible um you know because what we've determined is once your authoritative

name server is hosted outside of China the poisoning Behavior no longer happens and you know thus the clients will no longer be uh exploitable in the manners that we've demonstrated today the other side which is a little bit more in control so like less Doom and Gloom you know uh web security hygiene so specifically for the attacks that we've demonstrated today um they can be seriously limited if basic web security hygiene is followed so things like enforcing the secure uh flag on cookies so they're not accessible by web servers that are not being communicated to Via htps um and additionally um enforcing HTTP only uh so that you you know a simple xss vulnerability cannot

be escalated to Ste sensitive cookies you know this is sort of like f that you see on pentest reports but in this case you know this can really um uh you know limit the impact of some of these attacks that we demonstrated today um that said you know while that helps mitigate some of those attacks you know brand defacement and fishing are still a real and exploitable risk in this case um and so you know we've observed this internally at asot since about 2021 um but realistically it's probably been going on longer than that um you know companies with the web presence in China you know they like I've said don't really have too many options to

mitigating the risk of this this research so you know um after we've sort of dealt with this internally for a bit and spoken to you know uh our customers you know who are also observing this um you know ultimately maybe the best action uh course of action at this p uh at this stage is just to raise awareness of this you know and get more eyes on it uh and and you know get other people thinking about this problem and and what can be done about it that's really the the purpose of this presentation um so we do have a lot more detail um that we've hosted uh on our website you can go to dnsp po.com um we've also included

a uh little testing tool that you can use inside the post where you can put in a domain uh and see and confirm if it is you know potentially vulnerable uh to to this poisoning and we just wanted to to close out with some uh thanks to some folks who who helped us with this research Arch so Eric um uh who you know shared the additional keywords uh and his own sort of research that he independently came to on this uh DNS poisoning uh shauno uh who helped us with uh some of the D data analysis of the returned poison addresses and also our customers uh who we worked with who contributed uh a number of valuable insights uh into

the attack but also uh specifically around like the perspective of of what we can do about it and and the difficulties in mitigating the issue and um that's the end of it thanks guys

[Applause] any questions for shabs and Michael has one up the back waving can you guys see it's so hard to see people in this audience great talk really good yeah you wave again

there we go um firstly that was an excellent talk um you uh have basically dove into something which is a problem I've had for a while doing a masteron instance um there is endless jobs which have basically fail because of bad resolution inside the CN um kind of you know zones um so I'm definitely interested in kind of comparing my error logs inside my software with the white list I guess the list that you've you've made made so thanks for that and I'm going to try and see if I if I get any matches which aren't in your list I'll send them your way so thanks I could barely hear that uh we we could barely hear that that

sorry yeah well okay that

next uh hi I have an observation about the use of Public Act um inuse IP addresses um if they just use sinkhole IP addresses or not used IP addresses then there would have been a OS in leak of which domains they were interested in so maybe they're using proper IP addresses that are routable because that that provides less information about what they're doing yeah I mean that could be a potential uh potential Theory as to as to why they're doing that instead of just Sy calling it um but then again like there's also the the the idea that you know generally speaking China's usually not very subtle with what it does with respect to censorship and

other things like that so um but yeah that's that's that's definitely an interesting uh interesting

Theory being a run out running for questions is a great workout um are there possible mitigations through using say DNS over https uh I think this is still affecting I mean DNS over https is still affected so if you try and use uh let's say Google's DNS over https when it does reach to the authoritative name server it's still going to be poisoned if that authoritative name server is hosted within China um so I I don't think that resolves it necessarily um I think that um you know I think the only real resolution I've seen of this issue that I have seen successful is hosting your name server outside of China so for example if you try or attack on

google.cn or facebook. CN the reason it doesn't work there is cu they're hosting their name servers outside of China um but that's that's the only real mitigation I've seen against that's kind of fullprof yeah yeah are there any other questions oh yep one over on the left hey um have you tried testing what the behavior is inside inside the firewall so those IP addresses that are sink hold is it possible there's like a second layer of maybe like IP like router poisoning happening and there's a reason why it's like social media and US companies or anything like that yeah that's a that's a really good point we we haven't tried these attacks while being within China itself or

Chinese infrastructure itself but yeah it could be going elsewhere it's just from our from our behav from our experience so far um those list of Networks you're right are really diverse in social media sites and data centers and you know AI Lono vley all sorts of different and and that's really where we've been asking questions around why why these networks um in terms of what they're Sy called to but yeah it could be different if you're within China yeah and you know we we did explore that but part of the reason um that we we haven't you know really gone ahead with that too much is for the reasons we outlined it the presentation of how difficult it is

um more so how much of a pain in the ass it is to get you anything up in China um we just couldn't be bothered after a certain point

basically uh so I want to ask if the website is hosted in let's say in Singapore but it is operated by Alibaba Cloud uh will it be we still this may be affected or not it would be affected if the Alibaba name server is hosted in China yeah okay thank you and that that is something that we have observed with uh companies in Southeast Asia um that are you know you know for all intents and purposes not Chinese companies um but they are using say say Alibaba and name service hosted in China um they are affected by this any other questions I can't see any okay another big round of applause for shs and Michael thanks

guys