[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)
Steven D'Aprano
steve at pearwood.info
Thu Feb 23 23:36:57 EST 2017
I haven't seen any response to the following alleged security
vulnerability.
I am not qualified to judge the merits of this, but it does seem
worrying that (alledgedly) the Python security team hasn't responded for
over 12 months.
Is anyone able to comment?
Thanks,
Steve
On Mon, Feb 20, 2017 at 09:01:21PM +0000, nospam at curso.re wrote:
> Hello,
>
> I have just noticed that an FTP injection advisory has been made public
> on the oss-security list.
>
> The author says that he an exploit exists but it won't be published
> until the code is patched
>
> You may be already aware, but it would be good to understand what is the
> position of the core developers about this.
>
> The advisory is linked below (with some excerpts in this message):
>
> http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
>
> Protocol injection flaws like this have been an area of research of mine
> for the past few couple of years and as it turns out, this FTP protocol
> injection allows one to fool a victim's firewall into allowing TCP
> connections from the Internet to the vulnerable host's system on any
> "high" port (1024-65535). A nearly identical vulnerability exists in
> Python's urllib2 and urllib libraries. In the case of Java, this attack
> can be carried out against desktop users even if those desktop users do
> not have the Java browser plugin enabled.
> As of 2017-02-20, the vulnerabilities discussed here have not been patched
> by the associated vendors, despite advance warning and ample time to do
> so.
> [...]
> Python's built-in URL fetching library (urllib2 in Python 2 and urllib in
> Python 3) is vulnerable to a nearly identical protocol stream injection,
> but this injection appears to be limited to attacks via directory names
> specified in the URL.
> [...]
> The Python security team was notified in January 2016. Information
> provided included an outline of the possibility of FTP/firewall attacks.
> Despite repeated follow-ups, there has been no apparent action on their
> part.
>
> Best regards,
>
> -- Stefano
>
> P.S.
> I am posting from gmane, I hope that this is OK.
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/steve%40pearwood.info
>
More information about the Python-Dev
mailing list