[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Blindspot Advisory: Java/Python FTP Injections Allow for Firewall Bypass
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Blindspot Advisory: Java/Python FTP Injections Allow for Firewall Bypass
- From: "Timothy D. Morgan" <tim.advisories@xxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 20 Feb 2017 08:20:16 -0800
Overview
Recently, an vulnerability in Java's FTP URL handling code has been published
which allows for protocol stream injection. It has been shown[1] that this flaw
could be used to leverage existing XXE or SSRF vulnerabilities to send
unauthorized email from Java applications via the SMTP protocol. While
technically interesting, the full impact of this protocol stream injection has
not been fully accounted for in existing public analysis.
Protocol injection flaws like this have been an area of research of mine for
the past few couple of years and as it turns out, this FTP protocol injection
allows one to fool a victim's firewall into allowing TCP connections from the
Internet to the vulnerable host's system on any "high" port (1024-65535). A
nearly identical vulnerability exists in Python's urllib2 and urllib libraries.
In the case of Java, this attack can be carried out against desktop users even
if those desktop users do not have the Java browser plugin enabled.
As of 2017-02-20, the vulnerabilities discussed here have not been patched by
the associated vendors, despite advance warning and ample time to do so.
...
For the rest of the advisory, please see:
http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
1. https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/