Blindspot Advisory: Java/Python FTP Injections Allow for Firewall Bypass

["Timothy D. Morgan" <tim.advisories () blindspotsecurity com>]

Recently, an vulnerability in Java's FTP URL handling code has been published which allows for protocol stream 
injection. It has been shown[1] that this flaw could be used to leverage existing XXE or SSRF vulnerabilities to send 
unauthorized email from Java applications via the SMTP protocol. While technically interesting, the full impact of this 
protocol stream injection has not been fully accounted for in existing public analysis.

Protocol injection flaws like this have been an area of research of mine for the past few couple of years and as it 
turns out, this FTP protocol injection allows one to fool a victim's firewall into allowing TCP connections from the 
Internet to the vulnerable host's system on any "high" port (1024-65535). A nearly identical vulnerability exists in 
Python's urllib2 and urllib libraries. In the case of Java, this attack can be carried out against desktop users even 
if those desktop users do not have the Java browser plugin enabled.

As of 2017-02-20, the vulnerabilities discussed here have not been patched by the associated vendors, despite advance 
warning and ample time to do so.
...

For the rest of the advisory, please see:
  http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html




1. https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/