Blindspot Advisory: Java/Python FTP Injections Allow for Firewall Bypass

fulldisclosure logo
Full Disclosure
mailing list archives

Blindspot Advisory: Java/Python FTP Injections Allow for Firewall Bypass


From: “Timothy D. Morgan” <tim.advisories () blindspotsecurity com>

Date: Mon, 20 Feb 2017 08:20:16 -0800



Overview
Recently, an vulnerability in Java's FTP URL handling code has been published which allows for protocol stream 
injection. It has been shown[1] that this flaw could be used to leverage existing XXE or SSRF vulnerabilities to send 
unauthorized email from Java applications via the SMTP protocol. While technically interesting, the full impact of this 
protocol stream injection has not been fully accounted for in existing public analysis.

Protocol injection flaws like this have been an area of research of mine for the past few couple of years and as it 
turns out, this FTP protocol injection allows one to fool a victim's firewall into allowing TCP connections from the 
Internet to the vulnerable host's system on any "high" port (1024-65535). A nearly identical vulnerability exists in 
Python's urllib2 and urllib libraries. In the case of Java, this attack can be carried out against desktop users even 
if those desktop users do not have the Java browser plugin enabled.

As of 2017-02-20, the vulnerabilities discussed here have not been patched by the associated vendors, despite advance 
warning and ample time to do so.
...

For the rest of the advisory, please see:
  http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html




1. https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


  By Date  
     
  By Thread  

Current thread:

  • Blindspot Advisory: Java/Python FTP Injections Allow for Firewall Bypass Timothy D. Morgan (Feb 21)

Source: Full Disclosure @ February 21, 2017 at 01:19PM

0
Share