Java / Python FTP URL Handling XXE / SSRF

Java and Python both have URL handling code that can be leveraged for XML external entity (XXE) injection and SSRF attacks.


MD5 | b46f35be652c08f2529c29a9fccd6755


Overview
Recently, an vulnerability in Java's FTP URL handling code has been published which allows for protocol stream injection. It has been shown[1] that this flaw could be used to leverage existing XXE or SSRF vulnerabilities to send unauthorized email from Java applications via the SMTP protocol. While technically interesting, the full impact of this protocol stream injection has not been fully accounted for in existing public analysis.

Protocol injection flaws like this have been an area of research of mine for the past few couple of years and as it turns out, this FTP protocol injection allows one to fool a victim's firewall into allowing TCP connections from the Internet to the vulnerable host's system on any "high" port (1024-65535). A nearly identical vulnerability exists in Python's urllib2 and urllib libraries. In the case of Java, this attack can be carried out against desktop users even if those desktop users do not have the Java browser plugin enabled.

As of 2017-02-20, the vulnerabilities discussed here have not been patched by the associated vendors, despite advance warning and ample time to do so.
...

For the rest of the advisory, please see:
http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html




1. https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/



Related Posts