来源
http://www.cse.umich.edu/~jhalderm/pub/gd/

用google翻译处理了下

Summary    We have discovered remotely-exploitable vulnerabilities in Green Dam, the censorship software reportedly mandated by the Chinese government. Any web site a Green Dam user visits can take control of the PC.

总结我们发现远程利用的漏洞在绿色大坝，检查软件授权据说中国政府。任何网站绿色大坝用户访问可以控制电脑。

According to press reports, China will soon require all PCs sold in the country to include Green Dam. This software monitors web sites visited and other activity on the computer and blocks adult content as well as politically sensitive material.
据新闻报道，中国将很快要求所有销售的PC在该国，包括绿色大坝。该软件监控网站访问和其他活动，并在计算机上的成人内容块，以及政治上敏感的材料。

We examined the Green Dam software and found that it contains serious security vulnerabilities due to programming errors. Once Green Dam is installed, any web site the user visits can exploit these problems to take control of the computer. This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet. In addition, we found vulnerabilities in the way Green Dam processes blacklist updates that could allow the software makers or others to install malicious code during the update process.
我们审查了绿色大坝软件，发现它载有严重的安全漏洞，由于编程错误。绿色大坝一旦安装后，任何网站的用户访问，可以充分利用这些问题来控制电脑。 这可能允许恶意网站窃取个人资料，发送垃圾邮件，或争取在一个僵尸网络的计算机。此外，我们发现漏洞的方式绿色大坝进程黑名单的更新，可以让软件制造商或 其他人安装恶意代码在更新过程中。

We found these problems with less than 12 hours of testing, and we believe they may be only the tip of the iceberg. Green Dam makes frequent use of unsafe and outdated programming practices that likely introduce numerous other vulnerabilities. Correcting these problems will require extensive changes to the software and careful retesting. In the meantime, we recommend that users protect themselves by uninstalling Green Dam immediately.

我们发现这些问题，不到12小时的测试，我们认为他们可能只是冰山的一角。绿色大坝使得经常使用不安全的和过时的编程做法可能引进其他许多漏洞。纠正这些问题，需要大量的修改，重新测试软件和认真。在此同时，我们建议用户在保护自己的绿色大坝立即卸载。

研究报告文本

Introduction

Accordingly to recent news reports (NYT, WSJ), the Chinese government has mandated that, beginning July 1, every PC sold in China must include a censorship program called Green Dam. This software is designed to monitor internet connections and text typed on the computer. It blocks undesirable or politically sensitive content and optionally reports it to authorities. Green Dam was developed by a company called Jin Hui and is available as a free download. We examined version 3.17.
How Green Dam Works

The Green Dam software filters content by blocking URLs and website images and by monitoring text in other applications. The filtering blacklists include both political and adult content. Some of the blacklists appear to have been copied from American-made filtering software.

Image filter    Green Dam includes computer vision technology used to block online images containing nudity. The image filter reportedly works by flagging images containing large areas of human skin tone, while making an exception for close-ups of faces. We've found that the program contains code libraries and a configuration file from the open-source image recognition software OpenCV.

Text filter    Green Dam scans text entry fields in various applications for blocked words, including obscenities and politically sensitive phrases. Blacklisted terms are contained in three files, encrypted with a simple key-less scrambling operation. We decrypted the contents of these files: xwordl.dat, xwordm.dat, and xwordh.dat. We also found what appears to be a word list for a more sophisticated sentence processing algorithm in the unencrypted file FalunWord.lib. When Green Dam detects these words, the offending program is forcibly closed and an error image (shown above) is displayed.

URL filter    Green Dam filters website URLs using patterns contained in whitelist and blacklist files (*fil.dat, adwapp.dat, and TrustUrl.dat). These files are encrypted with the same key-less scrambling operation as the blacklists for the text filter. Five of the blacklists correspond to the categories in the content filtering section of Green Dam's options dialog (shown below).

We found evidence that a number of these blacklists have been taken from the American-made filtering program CyberSitter. In particular, we found an encrypted configuration file, wfileu.dat, that references these blacklists with download URLs at CyberSitter's site. We also found a setup file, xstring.s2g, that appears to date these blacklists to 2006. Finally, csnews.dat is an encrypted 2004 news bulletin by CyberSitter. We conjecture that this file was accidentally included because it has the same file extension as the filters.
Security Problems

After only one day of testing the Green Dam software, we found two major security vulnerabilities. The first is an error in the way the software processes web sites it monitors. The second is a bug in the way the software installs blacklist updates. Both allow remote parties to execute arbitrary code and take control of the computer.
Web Filtering Vulnerability

Green Dam intercepts Internet traffic and processes it to see whether visited web sites are blacklisted. In order to perform this monitoring, it injects a library called SurfGd.dll into software that uses the socket API. When a user access a web site, this code checks the address against the blacklist and logs the URL.

We discovered programming errors in the code used to process web site requests. The code processes URLs with a fixed-length buffer, and a specially-crafted URL can overrun this buffer and corrupt the execution stack. Any web site the user visits can redirect the browser to a page with a malicious URL and take control of the computer.

We have constructed a demonstration URL that triggers this problem. If you have Green Dam installed, clicking the button on our demonstration attack page will cause your browser (or tab) to crash.

This proof-of-concept shows that we are able to control the execution stack. An actual attacker could exploit this to execute malicious code.

Green Dam's design makes this problem exploitable from almost any web browser. At this time, the surest way for users to protect themselves is to uninstall Green Dam.
Blacklist Update Vulnerability

We found a second problem in the way Green Dam reads its filter files. This problem would allow Green Dam's makers, or a third-party impersonating them, to execute arbitrary code and install malicious software on the user's computer after installing a filter update. Users can enable automatic filter updates from the Green Dam configuration program.

Green Dam reads its filter files using unsafe C string libraries. In places, it uses the fscanf function to read lines from filter files into a fixed-length buffer on the execution stack. This creates classic buffer-overflow vulnerabilities. For example, if a line in the file TrustUrl.dat exceeds a certain fixed length, the buffer will be overrun, corrupting the execution stack and potentially giving the attacker control of the process.

The filter files can be replaced remotely by the software maker if the user has enabled filter updates. The updates could corrupt these vulnerable files to exploit the problems we found. This could allow Green Dam's makers to take control of any computer where the software is installed and automatic filter updates are enabled. Furthermore, updates are delivered via unencrypted HTTP, which could allow a third party to impersonate the update server (for example, by exploiting DNS vulnerabilities) and take control of users' computers using this attack.
Removing Green Dam

Green Dam allows users who know its administrator password to uninstall the software. We tested the uninstaller and found that it appears to effectively remove Green Dam from the computer. However, it fails to remove some log files, so evidence of users' activity remains hidden on the system.

In light of the serious vulnerabilities we outlined above, the surest way for users to protect themselves is to remove the software immediately using its uninstall function.
Conclusion

Our brief testing proves that Green Dam contains very serious security vulnerabilities. Unfortunately, these problems seem to reflect systemic flaws in the code. The software makes extensive use of programming techniques that are known to be unsafe, such as deprecated C string processing functions including sprintf and fscanf. These problems are compounded by the design of the program, which creates a large attack surface: since Green Dam filters and processes all Internet traffic, large parts of its code are exposed to attack.

If Green Dam is deployed in its current form, it will significantly weaken China's computer security. While the flaws we discovered can be quickly patched, correcting all the problems in the Green Dam software will likely require extensive rewriting and thorough testing. This will be difficult to achieve before China's July 1 deadline for deploying Green Dam nationwide.

google翻译的结果

导言

因此最近的新闻报道（纽约时报，华尔街日报） ，我国政府授权的是， 7月1日开始，每一个在中国销售的PC都必须包括一个审查程序称作绿色大坝。该软件的目的是监测互联网连接和文字输入电脑。该区块不良或政治上敏感的内容 和选择报告给当局。绿色大坝是由一家名叫靳回，并提供免费下载。我们审查版本3.17 。
如何绿色坝工程

绿色大坝软件内容过滤器拦截的网址和网站的图片和文字，通过监测其他应用软件。过滤黑名单既包括政治和成人内容。一些黑名单似乎被复制美国制造的过滤软件。

图像过滤绿色大坝包括计算机视觉技术用来阻止在线图片包含裸露。图像过滤器的工作原理是据说含有标记的图像大面积的人的皮肤色调，而决策的一个例外，适用于近摄的面孔。我们发现，该计划包含的代码库和一个配置文件从开源图像识别软件OpenCV 。

内容过滤器绿色大坝扫描文字输入的各种应用领域的封锁的话，包括猥亵和政治上敏感的词组 。列入黑名单的条款中包含三个文件，一个简单的加密密钥不太争相作业。我们解密的内容，这些文件： xwordl.dat ， xwordm.dat ，并xwordh.dat 。我们还发现这似乎是一个单词列表的更复杂的句子处理算法的加密文件FalunWord.lib 。当绿色大坝检测这些话，违反规定的程序强行关闭，一个错误的形象（如上所示）显示。

网址过滤器的过滤器绿色大坝网站网址使用模式中的白名单和黑名单文件（ * fil.dat ， adwapp.dat ，并TrustUrl.dat ） 。这些文件是相同的加密密钥不太争相运作的黑名单案文过滤器。五个黑名单对应的类别中的内容过滤部分绿色大坝的选项对话框中（如下所示） 。

我们发现的证据表明，其中的一些黑名单已采取由美国制造的过滤程序CyberSitter 。尤其是，我们找到了一个加密的配置文件， wfileu.dat ，引用这些黑名单的下载网址CyberSitter的网站。我们还发现了一个安装文件， xstring.s2g ，似乎这些黑名单日期至2006年。最后， csnews.dat是一个加密的新闻简报2004年的CyberSitter 。我们猜想，这个文件是意外，因为它包含有相同的文件扩展名的过滤器。
安全问题

仅一天的测试绿坝软件，我们发现了两个主要的安全漏洞。首先是一个错误的方式，软件程序网站监管。第二个是一个错误的方式安装的软件黑名单更新。各方都允许远程执行任意代码，并采取控制的计算机。
网页过滤漏洞

绿色大坝拦截互联网流量和进程，看看是否有访问网站的黑名单。为了履行这一监测，它注射到图书馆呼吁SurfGd.dll软件使用套接字API的。当用户访问一个网站，这个代码检查处理的黑名单和日志网址。

我们发现，编程错误的代码用于处理Web站点的请求。网址的代码程序，以固定长度的缓冲区，以及特制的URL可以溢出这个缓冲区和腐败执行堆栈。任何网站的用户访问可以重定向浏览器的网页中的恶意网址，并采取控制的计算机。

我们已经建造了一个示范网址触发此问题。如果您有绿色大坝安装，按一下按钮，我们的示范攻击网页会导致您的浏览器（或标签）崩溃。

这一概念证明表明，我们能够控制的执行堆栈。一个实际的攻击者可以利用这个来执行恶意代码。

绿色大坝的设计使得这个问题利用几乎所有的网络浏览器。在这个时候，最可靠的方法，它使用户能够保护自己就是卸载绿色大坝。
黑名单更新漏洞

我们发现的第二个问题的方式的绿色大坝内容过滤文件。这个问题将使绿色大坝的制造商，或第三方冒充他们，执行任意代码，并安装恶意软件在用户的计算机上安装一个过滤器的更新。用户可以启用自动过滤器更新绿色大坝配置计划。

绿色大坝内容的过滤器文件使用不安全ç字符串图书馆。在地方，它会使用fscanf函数改为线过滤文件到一个固定长度的缓冲区的执行堆栈。这造成 了典型的缓冲溢出漏洞。例如，如果一条线的文件TrustUrl.dat超过某一固定长度的缓冲区将溢出，腐蚀执行堆栈和潜在让攻击者控制的进程。

该过滤器文件可以取代遥控的软件制造商，如果用户已启用过滤器的更新。更新可以腐败这些弱势档案利用问题，我们发现。这可能会允许绿色大坝的决策 者采取控制任何一台计算机的软件安装和自动过滤器已启用。此外，更新透过加密的HTTP ，这可能会允许第三方模拟更新服务器（例如，利用的DNS漏洞）和控制用户的计算机使用这种攻击。
消除绿色大坝

绿色大坝允许用户谁知道它的管理员密码才能卸载该软件。我们测试的卸载程序，发现它似乎有效去除绿色大坝从计算机。然而，它不能删除一些日志文件，以便证明使用者的活动仍然隐藏在系统上。

鉴于严重的缺陷，我们上文所述，最可靠的方法，它使用户能够保护自己是删除该软件立即利用其卸载功能。
结论

我们短暂的测试证明，绿色大坝包含非常严重的安全漏洞。不幸的是，这些问题似乎反映系统性缺陷的代码。该软件广泛使用的编程技术，已知是不安全 的，如不推荐ç字符串处理功能，包括sprintf和fscanf 。这些问题是复杂的设计程序，建立一个大型攻击面：因为绿色大坝过滤器，处理所有的互联网流量，大部份的代码受到攻击。

如果绿色大坝部署在目前的形式，这将大大削弱中国的计算机安全。虽然我们发现的缺陷可以迅速修复，纠正所有问题的绿色坝软件可能会需要大量的修改和全面的测试。这将难以实现在中国的截止日期为7月1日部署全国绿色大坝。