[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Blindspot Advisory: Java/Python FTP Injections Allow for Firewall Bypass
From: "Timothy D. Morgan" <tim.advisories () blindspotsecurity ! com>
Date: 2017-02-20 16:20:16
Message-ID: d073d8fa-6b1a-692d-e68f-f094af010137 () blindspotsecurity ! com
[Download RAW message or body]
Overview
Recently, an vulnerability in Java's FTP URL handling code has been published which allows for \
protocol stream injection. It has been shown[1] that this flaw could be used to leverage \
existing XXE or SSRF vulnerabilities to send unauthorized email from Java applications via the \
SMTP protocol. While technically interesting, the full impact of this protocol stream injection \
has not been fully accounted for in existing public analysis.
Protocol injection flaws like this have been an area of research of mine for the past few \
couple of years and as it turns out, this FTP protocol injection allows one to fool a victim's \
firewall into allowing TCP connections from the Internet to the vulnerable host's system on any \
"high" port (1024-65535). A nearly identical vulnerability exists in Python's urllib2 and \
urllib libraries. In the case of Java, this attack can be carried out against desktop users \
even if those desktop users do not have the Java browser plugin enabled.
As of 2017-02-20, the vulnerabilities discussed here have not been patched by the associated \
vendors, despite advance warning and ample time to do so.
...
For the rest of the advisory, please see:
http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
1. https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic