A team of eight scientists and cybersecurity experts discovered the Wallbleed vulnerability in the Golden Shield system, also known as the Great Firewall of China. Since 2021, they have been exploiting it continuously in an effort to understand the workings of the system, about which little information is known.
Image source: Ricardo / unsplash.com
The vulnerability, named Wallbleed, is modeled after Heartbleed in OpenSSL, which was discovered more than a decade ago. The bug involves a memory leak and reading data outside of the permitted range, but the authors of the study managed to force Chinese equipment to disclose data in chunks of just 125 bytes. The Golden Shield system is designed to block information banned in China and slow down foreign traffic. It began operating in the 1990s and has become increasingly sophisticated over the years. Various methods are used to monitor users’ online activity and filter information.
Wallbleed was discovered in the DNS injection subsystem, which is responsible for generating fake DNS responses. When a Chinese user tries to access a blocked site, their computer requests the IP address corresponding to the site’s domain via DNS so that a connection can be established. The Golden Shield detects and intercepts this request and sends a response with a fake IP address leading to nowhere. From the user’s perspective, access is thus blocked.
Image source: aay / unsplash.com
Under certain conditions, the system returned not only a fake IP address to the user, but also 125 bytes of additional data. The leak occurred from any machine that checks the request and blocks it based on its content. By carefully crafting such a request, it was possible to capture 125 bytes from the memory of a machine in the system. For each user, the Golden Shield system has at least three DNS injection machines running at the same time; but there are other subsystems that are triggered if the user somehow obtains the correct IP address.
Wallbleed is not the first vulnerability discovered in China’s resource blocking system. In 2010, a Twitter account (now X) published a one-line script that, due to a vulnerability in DNS, allowed 122 bytes of additional data to be obtained from machine memory. The Wallbleed discoverers continuously exploited the vulnerability from October 2021 to March 2024. Until September-October 2023, it was Wallbleed v1, which Chinese experts fixed, but soon Wallbleed v2 was discovered – it was finally closed in March 2024.
The researchers exploited the vulnerability to gain some information about the Golden Shield hardware, about which virtually nothing is known. Specifically, they found that the data remained in the hardware’s memory for between zero and five seconds, and that its CPUs had an x86_64 architecture. They also found that the vulnerable intermediate nodes processed traffic from hundreds of millions of Chinese IP addresses, meaning virtually the entire country.