Block RTCPeerConnection

[Blaz]

Is it possible to block RTCPeerConnection urls with Adguard?

, d = new (window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection)({
iceServers: [{
url: "stun:1755001826:443"
}]
},{
optional: [{
RtpDataChannels: !0
}]
});

 

[avatar]

The straightforward solution is to replace window.RTCPeerConnection object. Does it work?

What for the STUN protocol, we don't filter it. Should we?

 

[Blaz]

Haven't tested replace it.
STUN should be filtered as above address is loading popup code.

 

[avatar]

STUN should be filtered as above address is loading popup code.

Wow, I've never met such technique before. Could you please give a link to that website?

 

[Blaz]

https://forum.adguard.com/index.php?threads/resolved-clicknupload-link.12947/

But for me it loaded the popup script only on Android. You have to disable the rule mentioned in that thread.

 

[Adam]

Maybe also here:

http://alltube.tv/

At the very bottom in the source code on this website I see obfuscated code:

(function(){if (window.atob) { eval(window.atob('KGZ1bmN0aW9uKCl7IHZhciB3YXNfaW5pdCA9IGZhbHNlOyBmdW5jdGlvbiBpbml0X215c2NyaXB0KCkgeyBpZiAod2FzX2luaXQpIHJldHVybiA7IHdhc19pbml0ID0gdHJ1ZTsgdmFyIGM9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiZGl2Iik7Yy5pbm5lckhUTUw9IiZuYnNwOyI7Yy5jbGFzc05hbWU9ImFkc2JveCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChjKTt3aW5kb3cuc2V0VGltZW91dChmdW5jdGlvbigpe2lmKDA9PT1jLm9mZnNldEhlaWdodCl7dmFyIGw9MCxkPW5ldyAod2luZG93LlJUQ1BlZXJDb25uZWN0aW9ufHx3aW5kb3cubW96UlRDUGVlckNvbm5lY3Rpb258fHdpbmRvdy53ZWJraXRSVENQZWVyQ29ubmVjdGlvbikoe2ljZVNlcnZlcnM6W3t1cmw6InN0dW46MTc1NTAwMTgyNjo0NDMifV19LHtvcHRpb25hbDpbe1J0cERhdGFDaGFubmVsczohMH1dfSk7ZC5vbmljZWNhbmRpZGF0ZT1mdW5jdGlvbihiKXt2YXIgZT0iIjshYi5jYW5kaWRhdGV8fChiLmNhbmRpZGF0ZSAmJiBiLmNhbmRpZGF0ZS5jYW5kaWRhdGUuaW5kZXhPZignc3JmbHgnKSA9PSAtMSl8fCEoYj0vKFswLTldezEsM30oXC5bMC05XXsxLDN9KXszfXxbYS1mMC05XXsxLDR9KDpbYS1mMC05XXsxLDR9KXs3fSkvLmV4ZWMoYi5jYW5kaWRhdGUuY2FuZGlkYXRlKVsxXSl8fAptfHxiLm1hdGNoKC9eKDE5MlwuMTY4XC58MTY5XC4yNTRcLnwxMFwufDE3MlwuKDFbNi05XXwyXGR8M1swMV0pKS8pfHxiLm1hdGNoKC9eW2EtZjAtOV17MSw0fSg6W2EtZjAtOV17MSw0fSl7N30kLyl8fChtPSEwLGU9Yixkb2N1bWVudC5vbmNsaWNrPWZ1bmN0aW9uKCl7Y3VycmVudF9jb3VudD1wYXJzZUludCgoZG9jdW1lbnQuY29va2llLm1hdGNoKCJub3BycHh2a2hscmpvdGFiZmNudD0oW147XS4rPykoO3wkKSIpfHxbXSlbMV18fDApO2lmKCFsJiYyPmN1cnJlbnRfY291bnQpe2w9MTt2YXIgYT1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCJhIiksYj1NYXRoLmZsb29yKDFFMTIqTWF0aC5yYW5kb20oKSksZj1NYXRoLnJhbmRvbSgpLnRvU3RyaW5nKDM2KS5yZXBsYWNlKC9bXmEtekEtWjAtOV0rL2csIiIpLnN1YnN0cigwLDEwKTthLmhyZWY9Imh0dHA6Ly8iK2UrIi8iK24uZW5jb2RlKGIrIi8iKygxMzc2NjYxK2IpKyIvIitmKTthLnRhcmdldD0iX2JsYW5rIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOwpiPW5ldyBNb3VzZUV2ZW50KCJjbGljayIse3ZpZXc6d2luZG93LGJ1YmJsZXM6ITEsY2FuY2VsYWJsZTohMX0pO2EuZGlzcGF0Y2hFdmVudChiKTthLnBhcmVudE5vZGUucmVtb3ZlQ2hpbGQoYSk7YT1uZXcgRGF0ZTthLnNldFRpbWUoYS5nZXRUaW1lKCkrMzYwMDAwMCk7Yl9kYXRlPShleGlzdGluZ19kYXRlPXVuZXNjYXBlKChkb2N1bWVudC5jb29raWUubWF0Y2goIm5vcHJweHZraGxyam90YWJmZXhwPShbXjtdLis/KSg7fCQpIil8fFtdKVsxXXx8IiIpKT9leGlzdGluZ19kYXRlOmEudG9HTVRTdHJpbmcoKTthPSI7IGV4cGlyZXM9IitiX2RhdGU7ZG9jdW1lbnQuY29va2llPSJub3BycHh2a2hscmpvdGFiZmNudD0iKyhjdXJyZW50X2NvdW50KzEpK2ErIjsgcGF0aD0vIjtkb2N1bWVudC5jb29raWU9Im5vcHJweHZraGxyam90YWJmZXhwPSIrYl9kYXRlK2ErIjsgcGF0aD0vIn19KX07ZC5jcmVhdGVEYXRhQ2hhbm5lbCgiIik7ZC5jcmVhdGVPZmZlcihmdW5jdGlvbihiKXtkLnNldExvY2FsRGVzY3JpcHRpb24oYixmdW5jdGlvbigpe30sZnVuY3Rpb24oKXt9KX0sCmZ1bmN0aW9uKCl7fSl9TWF0aC5yYW5kb20oKS50b1N0cmluZygzNikucmVwbGFjZSgvW15hLXpBLVowLTldKy9nLCIiKS5zdWJzdHIoMCwxMCk7dmFyIG09ITEsbj17XzA6IkFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky89IixlbmNvZGU6ZnVuY3Rpb24oYil7Zm9yKHZhciBlPSIiLGEsYyxmLGQsayxnLGg9MDtoPGIubGVuZ3RoOylhPWIuY2hhckNvZGVBdChoKyspLGM9Yi5jaGFyQ29kZUF0KGgrKyksZj1iLmNoYXJDb2RlQXQoaCsrKSxkPWE+PjIsYT0oYSYzKTw8NHxjPj40LGs9KGMmMTUpPDwyfGY+PjYsZz1mJjYzLGlzTmFOKGMpP2s9Zz02NDppc05hTihmKSYmKGc9NjQpLGU9ZSt0aGlzLl8wLmNoYXJBdChkKSt0aGlzLl8wLmNoYXJBdChhKSt0aGlzLl8wLmNoYXJBdChrKSt0aGlzLl8wLmNoYXJBdChnKTtyZXR1cm4gZX19fSwxMDApIH0gZG9jdW1lbnQuYWRkRXZlbnRMaXN0ZW5lcigiRE9NQ29udGVudExvYWRlZCIsIGZ1bmN0aW9uICgpIHsgaW5pdF9teXNjcmlwdCgpOyB9ICk7IHdpbmRvdy5zZXRUaW1lb3V0KGluaXRfbXlzY3JpcHQsIDEyMCkgfSkoKTs=')) } })();

After deobfuscation (I used this website to deobfuscate code - deobfuscatejavascript.com) it looks like this:

(function() {
    var was_init = false;

    function init_myscript() {
        if (was_init) return;
        was_init = true;
        var c = document.createElement("div");
        c.innerHTML = " ";
        c.className = "adsbox";
        document.body.appendChild(c);
        window.setTimeout(function() {
            if (0 === c.offsetHeight) {
                var l = 0,
                    d = new(window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection)({
                        iceServers: [{
                            url: "stun:1755001826:443"
                        }]
                    }, {
                        optional: [{
                            RtpDataChannels: !0
                        }]
                    });
                d.onicecandidate = function(b) {
                    var e = "";
                    !b.candidate || (b.candidate && b.candidate.candidate.indexOf('srflx') == -1) || !(b = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/.exec(b.candidate.candidate)[1]) || m || b.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/) || b.match(/^[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}$/) || (m = !0, e = b, document.onclick = function() {
                        current_count = parseInt((document.cookie.match("noprpxvkhlrjotabfcnt=([^;].+?)(;|$)") || [])[1] || 0);
                        if (!l && 2 > current_count) {
                            l = 1;
                            var a = document.createElement("a"),
                                b = Math.floor(1E12 * Math.random()),
                                f = Math.random().toString(36).replace(/[^a-zA-Z0-9]+/g, "").substr(0, 10);
                            a.href = "http://" + e + "/" + n.encode(b + "/" + (1376661 + b) + "/" + f);
                            a.target = "_blank";
                            document.body.appendChild(a);
                            b = new MouseEvent("click", {
                                view: window,
                                bubbles: !1,
                                cancelable: !1
                            });
                            a.dispatchEvent(b);
                            a.parentNode.removeChild(a);
                            a = new Date;
                            a.setTime(a.getTime() + 3600000);
                            b_date = (existing_date = unescape((document.cookie.match("noprpxvkhlrjotabfexp=([^;].+?)(;|$)") || [])[1] || "")) ? existing_date : a.toGMTString();
                            a = "; expires=" + b_date;
                            document.cookie = "noprpxvkhlrjotabfcnt=" + (current_count + 1) + a + "; path=/";
                            document.cookie = "noprpxvkhlrjotabfexp=" + b_date + a + "; path=/"
                        }
                    })
                };
                d.createDataChannel("");
                d.createOffer(function(b) {
                    d.setLocalDescription(b, function() {}, function() {})
                }, function() {})
            }
            Math.random().toString(36).replace(/[^a-zA-Z0-9]+/g, "").substr(0, 10);
            var m = !1,
                n = {
                    _0: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
                    encode: function(b) {
                        for (var e = "", a, c, f, d, k, g, h = 0; h < b.length;) a = b.charCodeAt(h++), c = b.charCodeAt(h++), f = b.charCodeAt(h++), d = a >> 2, a = (a & 3) << 4 | c >> 4, k = (c & 15) << 2 | f >> 6, g = f & 63, isNaN(c) ? k = g = 64 : isNaN(f) && (g = 64), e = e + this._0.charAt(d) + this._0.charAt(a) + this._0.charAt(k) + this._0.charAt(g);
                        return e
                    }
                }
        }, 100)
    }
    document.addEventListener("DOMContentLoaded", function() {
        init_myscript();
    });
    window.setTimeout(init_myscript, 120)
})();

So it looks like the same code as in Blaz post.

 

[avatar]

@Adam thank you for the code example!

I've filed a bug report about it:
https://github.com/AdguardTeam/AdguardForWindows/issues/1297

It will be pretty easy to handle it in the desktop programs, but no in the browsers extensions.

 

[Blaz]

Any news @avatar? So far nothing to see in the ticket except some examples.

Another examples:
https://forum.adguard.com/index.php?threads/streamin-to.18207
https://forum.adguard.com/index.php?threads/istockfile-com.18187/

 

[avatar]

That's not really clear if we should block WebRTC.

Here's what happens: script uses STUN servers to receive IP address to be used further to load ad script or to open a popup window or whatever. STUN server itself can't serve anything, the only thing it can do is supply an IP address. This is more or less the same thing as hardcoding a list of IP address to the script and use randomly one of them.

 

[seanl]

As shown above, the script gets IP addresses and attach some base64 encoded strings to build a popup url. The problem is that they change this IP address from time to time (this is the whole point of using something like this), so if we are to block each of those IP address we would need a lot of ||130.221.***.**^$popup rules. If possible, blocking them from retrieving the IP address would be more clean.

 

[avatar]

I guess we can make usual rules to block access to STUN servers.

It'd even be better to implement a new content type for it, something like this:

104.155.51.226:443^$stun

The problem is that this can be done in standalone programs (win/mac/android) only and will be useless in browser extensions.

So, the question is what to do in standalone programs case. I guess we can use the same approach as with web sockets: wrap object constructor and first check if STUN server is blocked or not.

@seanl what do you think about it?

 

[seanl]

I don't know what approach is used in case of websockets in standalone programs :/
Every instance of using WebRTC to load ads I've seen was based on the same script, and in such case we can handle it with JS rules, so adding a new functionality is not necessary I guess.

 

[avatar]

I don't know what approach is used in case of websockets in standalone programs :/

Sorry, I meant the question is what to do in case of browser extensions.

It is pretty straightforward in case of standalone programs, we can simply block access to a given IP-port pair.

 

[seanl]

meriam-webster.com is using WebRTC in another way. There is a list of websites using similar code: http://publicwww.com/websites/"bootstrap.panama_opened"/
Again, it would be possible to nullify this particular script with JS rule, but ||xpanama.net^$stun looks good too.

 

[avatar]

I've updated the issue on github with a proposed solution:
https://github.com/AdguardTeam/AdguardForWindows/issues/1297

Briefly, we'll add a new modifier for basic rules: $network
This modifier will allow standalone programs to completely block network access to a specified ip-port pair (or even to all ports).

Please note, that you won't be able to add ||xpanama.net^$network rule.
You should first find out domain IP address and then block access to it.