Smart folks investigating a memory-dumping vulnerability in the Great Firewall of China (GFW) finally released their findings after probing it for years.

The eight-strong team of security pros and academics found the data-leaking flaw, and started using it to learn about the GFW’s inner workings in October 2021. It named the flaw Wallbleed after the Heartbleed disaster in OpenSSL.

To clear things up right from the start, this is no Heartbleed. Yes, it’s a memory-leaking bug, specifically an out-of-bounds read, but the team was only able to get it to reveal up to 125 bytes from the firewall’s equipment. Wallbleed is not something that can be used to unearth the deepest secrets locked up by the Middle Kingdom but still… finding a bug in the GFW is a pretty cool thing.

The GFW is Beijing’s method for censoring internet content that flows into China. The project began in the late nineties and has become more complex as the years have rolled by. Its primary purpose is to block Chinese citizens from visiting certain foreign websites and to slow the permitted internet traffic that flows between China and foreign countries. It employs various techniques to monitor netizens’ online activities and censor their web of the internet and wider world.

Wallbleed is within the DNS injection subsystem of the GFW, which is responsible for generating forged DNS responses when a user inside China tries to visit banned websites. This subsystem lives in a fleet of government-operated machines at China’s network border, watching for DNS queries.

When a citizen tries to go to a verboten site, their device requests via DNS the IP address of the site’s domain so that a connection to it can be established. The GFW detects and intercepts this DNS query, and sends a DNS response back to the user with a bogus IP address leading to nowhere. Thus, as far as the user is concerned, access is blocked.

The vulnerability itself is triggered by a bug in China’s DNS query parser that, under specific conditions, unintentionally returns to the client up to 125 bytes of additional memory data in the forged response. To be more specific, the data is leaked from whatever machine is inspecting the DNS request to potentially block. By carefully crafting a DNS query, you can grab 125 bytes of memory from the censorship middlebox inspecting that query.

The GFW has relied upon DNS injectors for its filtering for years; at least three of them are running at once. However, as we said, it’s not the only measure used. There are other subsystems operating so that even if a client was able to receive a correct DNS response, other measures would kick in and block their access.

The researchers, collectively contributing to the Great Firewall Report project, said the Wallbleed vulnerability “provides an unprecedented look at the GFW.” You can find all the technical details here, released Tuesday this week.

Various studies has been carried out on the GFW in the past, but the Great Firewall Report claims despite that, not much is known about the firewall’s middleboxes and inner workings.

For example, in 2010 one mystery Twitter account posted a one-line script which, until it was patched in November 2014, allowed researchers to see 122 bytes of GFW memory due to a DNS flaw.

The Great Firewall Report team said they were able to use Wallbleed to extract plain-text network traffic data, understand how long bytes remained in memory (usually between zero and five seconds), and make inferences about the GFW’s CPU architecture. It’s x86_64.

The team used a box at University of Massachusetts Amherst to continuously use Wallbleed to monitor President Xi’s censorship infrastructure between October 2021 and March 2024. In doing so, it was able to see how the GFW was maintained, and observe two attempts to patch Wallbleed in September-October 2023 and March 2024.

Wallbleed v1 is referred to in the paper as the vulnerability before the first patch and Wallbleed v2 is the same bug that still allowed researchers to probe the GFW using modified methods until March 2024 – when it was patched for good.

The boffins said they were also able to deduce that the vulnerable middleboxes in the GFW were, as you might expect, capable of capturing traffic from hundreds of millions of IP addresses in China, confirming that traffic from across the entire country was handled by these vulnerable middleboxes.

“Wallbleed exemplifies that the harm censorship middleboxes impose on internet users goes even beyond the direct, and designed, harm of censorship: It can severely violate users’ privacy and confidentiality,” the paper concludes. ®