Security
A Tale of Two Leaks: How Hackers Breached the Great Firewall of China
The Great Firewall of China (GFW) is one of, if not arguably the most advanced Internet censorship systems in the world. Because repressive governments generally do not simply publish their censorship rules, the task of determining exactly what is and isn’t allowed falls upon the censorship measurement community, who run experiments over censored networks. In this talk, we’ll discuss two ways censorship measurement has evolved from passive experimentation to active attacks against the Great Firewall.
While fuzzing the Great Firewall’s DNS injection system in 2021, we noticed something strange: Sometimes the injected responses contained weird garbage. After some investigation, we realized we’d stumbled onto a memory disclosure vulnerability that would give us an unprecedented window into the Great Firewall’s internals: Wallbleed.
So we crafted probes that could leak up to 125 bytes per response and repeatedly sent them for two years. Five billion responses later, the picture that emerged was... concerning. Over 2 million HTTP cookies leaked. Nearly 27,000 URL parameters with passwords. SMTP commands exposing email addresses. We found UPnP traffic from RFC 1918 private addresses - suggesting we were seeing the Great Firewall’s own internal network. We saw x86_64 stack frames with ASLR-enabled pointers. We even sent our own tagged traffic into China and later recovered those exact bytes in Wallbleed responses, proving definitively that real user traffic was being exposed.
In September 2023, the patching began. We watched in real-time as blocks of IP addresses stopped responding to our probes. But naturally the same developers that made this error in the first place made further mistakes. Within hours, we developed “Wallbleed v2” queries that still triggered the leak. The vulnerability persisted for another six months until March 2024.
GFW measurement research went back to business as usual until September of this year when an anonymous source released 600GB of leaked source code, packages, and documentation via Enlace Hacktivista. This data came from Geedge Networks - a company closely connected to the GFW and the related MESA lab. Geedge Networks develops censorship software not only for the GFW but also for other repressive countries such as Pakistan, Myanmar, Kazakhstan, and Ethiopia.
We will discuss some of our novel findings from the Geedge Networks leak, including system architecture and deployment details of the systems developed by Geedge Networks and MESA.
Wallbleed and the Geedge Networks leak show that censorship measurement research can be about more than just actively probing censored networks. We hope this talk will be a call to arms for hackers against Internet censorship.
Additional information
| Live Stream | https://streaming.media.ccc.de/39c3/zero |
|---|---|
| Type | Talk |
| Language | English |
More sessions
| 12/27/25 |
Reports of GNSS interference in the Baltic Sea have become almost routine — airplanes losing GPS, ships drifting off course, and timing systems failing. But what happens when a group of engineers decides to build a navigation system that simply *doesn’t care* about the jammer? Since 2017, we’ve been developing **R-Mode**, a terrestrial navigation system that uses existing radio beacons and maritime infrastructure to provide independent positioning — no satellites needed. In this talk, ...
|
| 12/27/25 |
Zwei Jahre nach dem ersten KIM-Vortrag auf dem 37C3: Die gezeigten Schwachstellen wurden inzwischen geschlossen. Weiterhin können mit dem aktuellen KIM 1.5+ nun große Dateien bis 500 MB übertragen werden, das Signaturhandling wurde für die Nutzenden vereinfacht, indem die Detailinformationen der Signatur nicht mehr einsehbar sind. Aber ist das System jetzt sicher oder gibt es neue Probleme?
|
| 12/27/25 |
While trying to apply fault injection to the AMD Platform Security Processor with unusual (self-imposed) requirements/restrictions, it were software bugs which stopped initial glitching attempts. Once discovered, the software bug was used as an entry to explore the target, which in turn lead to uncovering (and exploiting) more and more bugs, ending up in EL3 of the most secure core on the chip. This talk is about the story of trying to glitch the AMD Platform Security Processor, then ...
|
| 12/27/25 |
The Deutschlandticket was the flagship transport policy of the last government, rolled out in an impressive timescale for a political project; but this speed came with a cost - a system ripe for fraud at an industrial scale. German public transport is famously decentralised, with thousands of individual companies involved in ticketing and operations. Unifying all of these under one national, secure, system has proven a challenge too far for politicians. The end result: losses in the hundreds of ...
|
| 12/27/25 |
In August 2024, Raspberry Pi released their newest MCU: The RP2350. Alongside the chip, they also released the RP2350 Hacking Challenge: A public call to break the secure boot implementation of the RP2350. This challenge concluded in January 2025 and led to five exciting attacks discovered by different individuals. In this talk, we will provide a technical deep dive in the RP2350 security architecture and highlight the different attacks. Afterwards, we talk about two of the breaks in ...
|
| 12/27/25 |
FreeBSD’s jail mechanism promises strong isolation—but how strong is it really? In this talk, we explore what it takes to escape a compromised FreeBSD jail by auditing the kernel’s attack surface, identifying dozens of vulnerabilities across exposed subsystems, and developing practical proof-of-concept exploits. We’ll share our findings, demo some real escapes, and discuss what they reveal about the challenges of maintaining robust OS isolation.
|
| 12/27/25 |
Might contain zerodays. https://gpg.fail/ From secure communications to software updates: PGP implementations such as *GnuPG* ubiquitously relied on to provide cryptographic assurances. Many applications from secure communications to software updates fundamentally rely on these utilities. Since these have been developed for decades, one might expect mature codebases, a multitude of code audit reports, and extensive continuous testing. When looking into various PGP-related codebases for some ...
|
