Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Feb 2017 08:22:42 -0800
From: "Timothy D. Morgan" <tim.advisories@...ndspotsecurity.com>
To: oss-security@...ts.openwall.com
Subject: Blindspot Advisory: Java/Python FTP Injections Allow for Firewall
 Bypass


Recently, an vulnerability in Java's FTP URL handling code has been published which allows for protocol stream injection. It has been shown[1] that this flaw could be used to leverage existing XXE or SSRF vulnerabilities to send unauthorized email from Java applications via the SMTP protocol. While technically interesting, the full impact of this protocol stream injection has not been fully accounted for in existing public analysis.

Protocol injection flaws like this have been an area of research of mine for the past few couple of years and as it turns out, this FTP protocol injection allows one to fool a victim's firewall into allowing TCP connections from the Internet to the vulnerable host's system on any "high" port (1024-65535). A nearly identical vulnerability exists in Python's urllib2 and urllib libraries. In the case of Java, this attack can be carried out against desktop users even if those desktop users do not have the Java browser plugin enabled.

As of 2017-02-20, the vulnerabilities discussed here have not been patched by the associated vendors, despite advance warning and ample time to do so.
...

For the rest of the advisory, please see:
  http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html




1. https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ