A recent investigation into a memory-dumping vulnerability, known as Wallbleed, has provided insights into the workings of China’s Great Firewall (GFW). The research team, consisting of eight security experts and academics, began their analysis in October 2021 and has now shared their findings.
Wallbleed, named after the infamous Heartbleed bug, is a memory-leaking issue that reveals up to 125 bytes of data from the GFW’s equipment. Although this vulnerability does not expose sensitive secrets, it marks a significant discovery within the GFW, which is designed to censor internet content entering China.
Understanding the Great Firewall
The GFW, initiated in the late 1990s, employs various techniques to block access to foreign websites and monitor online activities of Chinese citizens. The Wallbleed vulnerability resides within the DNS injection subsystem, which generates fake DNS responses when users attempt to access restricted sites.
When a user in China tries to visit a banned website, their device sends a DNS request to obtain the site’s IP address. The GFW intercepts this request and returns a forged response, directing the user to a non-existent IP address, effectively blocking access.
Details of the Vulnerability
The vulnerability is triggered by a flaw in the DNS query parser, allowing it to unintentionally return extra memory data under specific conditions. By crafting a particular DNS query, researchers can extract up to 125 bytes of memory from the censorship infrastructure.
Despite the limited data revealed, the findings from Wallbleed have contributed to a better understanding of the GFW’s architecture and operation. Researchers monitored the GFW’s activities from October 2021 to March 2024, observing two patch attempts in September-October 2023 and March 2024.
Impact and Implications
The research indicates that the vulnerable middleboxes within the GFW can capture traffic from millions of IP addresses across China. This raises concerns about user privacy and the potential for severe violations of confidentiality.
The Great Firewall Report, which documented these findings, emphasizes that while censorship is a primary function of the GFW, the implications of such vulnerabilities extend beyond censorship to user privacy.
For further technical details, the full report is available here.