Python FTP Injections Allow for Firewall Bypass (oss-security advisory)
Hello, I have just noticed that an FTP injection advisory has been made public on the oss-security list. The author says that he an exploit exists but it won't be published until the code is patched You may be already aware, but it would be good to understand what is the position of the core developers about this. The advisory is linked below (with some excerpts in this message): http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections... Protocol injection flaws like this have been an area of research of mine for the past few couple of years and as it turns out, this FTP protocol injection allows one to fool a victim's firewall into allowing TCP connections from the Internet to the vulnerable host's system on any "high" port (1024-65535). A nearly identical vulnerability exists in Python's urllib2 and urllib libraries. In the case of Java, this attack can be carried out against desktop users even if those desktop users do not have the Java browser plugin enabled. As of 2017-02-20, the vulnerabilities discussed here have not been patched by the associated vendors, despite advance warning and ample time to do so. [...] Python's built-in URL fetching library (urllib2 in Python 2 and urllib in Python 3) is vulnerable to a nearly identical protocol stream injection, but this injection appears to be limited to attacks via directory names specified in the URL. [...] The Python security team was notified in January 2016. Information provided included an outline of the possibility of FTP/firewall attacks. Despite repeated follow-ups, there has been no apparent action on their part. Best regards, -- Stefano P.S. I am posting from gmane, I hope that this is OK.
I haven't seen any response to the following alleged security vulnerability. I am not qualified to judge the merits of this, but it does seem worrying that (alledgedly) the Python security team hasn't responded for over 12 months. Is anyone able to comment? Thanks, Steve On Mon, Feb 20, 2017 at 09:01:21PM +0000, nospam@curso.re wrote:
Hello,
I have just noticed that an FTP injection advisory has been made public on the oss-security list.
The author says that he an exploit exists but it won't be published until the code is patched
You may be already aware, but it would be good to understand what is the position of the core developers about this.
The advisory is linked below (with some excerpts in this message):
http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections...
Protocol injection flaws like this have been an area of research of mine for the past few couple of years and as it turns out, this FTP protocol injection allows one to fool a victim's firewall into allowing TCP connections from the Internet to the vulnerable host's system on any "high" port (1024-65535). A nearly identical vulnerability exists in Python's urllib2 and urllib libraries. In the case of Java, this attack can be carried out against desktop users even if those desktop users do not have the Java browser plugin enabled. As of 2017-02-20, the vulnerabilities discussed here have not been patched by the associated vendors, despite advance warning and ample time to do so. [...] Python's built-in URL fetching library (urllib2 in Python 2 and urllib in Python 3) is vulnerable to a nearly identical protocol stream injection, but this injection appears to be limited to attacks via directory names specified in the URL. [...] The Python security team was notified in January 2016. Information provided included an outline of the possibility of FTP/firewall attacks. Despite repeated follow-ups, there has been no apparent action on their part.
Best regards,
-- Stefano
P.S. I am posting from gmane, I hope that this is OK.
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/steve%40pearwood.info
On Thu, Feb 23, 2017, at 20:36, Steven D'Aprano wrote:
I haven't seen any response to the following alleged security vulnerability.
I am not qualified to judge the merits of this, but it does seem worrying that (alledgedly) the Python security team hasn't responded for over 12 months.
Like all CPython developers, the Python security team are all volunteers. That combined with the fact that dealing with security issues is one of the least fun programming tasks means issues are sometimes dropped. Perhaps some organization with a stake Python security would like to financially support Python security team members. As for this, particular issue, we should determine if there's a tracker issue yet and continue discussion there.
On 24 February 2017 at 07:51, Benjamin Peterson <benjamin@python.org> wrote:
As for this, particular issue, we should determine if there's a tracker issue yet and continue discussion there.
That would be <https://bugs.python.org/issue29606>.
On Thu, 23 Feb 2017 23:51:45 -0800 Benjamin Peterson <benjamin@python.org> wrote:
Like all CPython developers, the Python security team are all volunteers. That combined with the fact that dealing with security issues is one of the least fun programming tasks means issues are sometimes dropped.
Perhaps some organization with a stake Python security would like to financially support Python security team members.
As for this, particular issue, we should determine if there's a tracker issue yet and continue discussion there.
Just for the record, I find the mailing-list scheme used by PSRT quite difficult to deal with. For many people it's easy to lose track of e-mails received more than one week ago, so the necessary followup to security issues received by e-mail suffers. It's a bit sad that regular issues benefit from a full-fledged Roundup instance to allow for easy tracking of open issues (including comments and proposed fixes), but security issues are restricted to such a primitive communication setup which makes it so difficult to get work done. AFAIK, other projects have full-fledged private bug trackers for their security issues (or access-restricted sections in the main bug tracker, where the software supports it). Regards Antoine.
Ask the infrastructure team for a tracker instance. That would probably be more fruitful of an outlet than in the thread of this one issue. (I'm not trying to be flippant, I think a private issue tracker for vulnerabilities is a really good idea, I just don't think that bemoaning the lack of one in a thread about an FTP issue is likely to get much done.)
-----Original Message----- From: Python-Dev [mailto:python-dev-bounces+tritium- list=sdamon.com@python.org] On Behalf Of Antoine Pitrou Sent: Friday, February 24, 2017 5:02 AM To: python-dev@python.org Subject: Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)
On Thu, 23 Feb 2017 23:51:45 -0800 Benjamin Peterson <benjamin@python.org> wrote:
Like all CPython developers, the Python security team are all volunteers. That combined with the fact that dealing with security issues is one of the least fun programming tasks means issues are sometimes dropped.
Perhaps some organization with a stake Python security would like to financially support Python security team members.
As for this, particular issue, we should determine if there's a tracker issue yet and continue discussion there.
Just for the record, I find the mailing-list scheme used by PSRT quite difficult to deal with. For many people it's easy to lose track of e-mails received more than one week ago, so the necessary followup to security issues received by e-mail suffers.
It's a bit sad that regular issues benefit from a full-fledged Roundup instance to allow for easy tracking of open issues (including comments and proposed fixes), but security issues are restricted to such a primitive communication setup which makes it so difficult to get work done.
AFAIK, other projects have full-fledged private bug trackers for their security issues (or access-restricted sections in the main bug tracker, where the software supports it).
Regards
Antoine.
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/tritium- list%40sdamon.com
On 2017-02-24 11:01, Antoine Pitrou wrote:
On Thu, 23 Feb 2017 23:51:45 -0800 Benjamin Peterson <benjamin@python.org> wrote:
Like all CPython developers, the Python security team are all volunteers. That combined with the fact that dealing with security issues is one of the least fun programming tasks means issues are sometimes dropped.
Perhaps some organization with a stake Python security would like to financially support Python security team members.
As for this, particular issue, we should determine if there's a tracker issue yet and continue discussion there.
Just for the record, I find the mailing-list scheme used by PSRT quite difficult to deal with. For many people it's easy to lose track of e-mails received more than one week ago, so the necessary followup to security issues received by e-mail suffers.
It's a bit sad that regular issues benefit from a full-fledged Roundup instance to allow for easy tracking of open issues (including comments and proposed fixes), but security issues are restricted to such a primitive communication setup which makes it so difficult to get work done.
AFAIK, other projects have full-fledged private bug trackers for their security issues (or access-restricted sections in the main bug tracker, where the software supports it).
Amen! Antoine's and Benjamin's reply are the gist of my security talk at the last language summit, https://lwn.net/Articles/691308/ . A dedicated bug tracker or embargoed tickets would help the most. It would also make it much easier to track and measure our response time. A paid position would also help with the organizational overhead. Personally, I'm good in finding and fixing security issues. The actual communication, reporting and press releases are not my strength. Victor's incredible work on http://python-security.readthedocs.io/vulnerabilities.html is going to help, too. Christian
Hi, Re: "[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)" 2017-02-24 5:36 GMT+01:00 Steven D'Aprano <steve@pearwood.info>:
I am not qualified to judge the merits of this, but it does seem worrying that (alledgedly) the Python security team hasn't responded for over 12 months.
Is anyone able to comment?
I don't have the archives of the PSRT mailing list and I'm not sure that I was subscribed when "the" email was sent. Does someone have the date of this email? It's to complete the new entry in my doc: http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_inject... I don't want to blame anyone, I just want to collect data to help us to enhance our process to handle security vulnerabilities. FYI I tried to take care of a few security vulnerabilities recently, and as expected, each issue is more tricky than expected :-) While fixing http://bugs.python.org/issue30500 I noticed that urllib accepts newline characters in URLs. I don't know if it's deliberate or not... So I created a new issue http://bugs.python.org/issue30713 I updated expat from 2.1.1 to 2.2.0, but now the compilation fails in 2.7 on Windows with Visual Studio 2008. And just when I was done, expat 2.2.1 was released. I have to do the same job again :-) Victor
I think that the first email about this was received from Timothy D. Morgan on 1/15/16. You should be able to get confirmation of this from Christian Heimes. I think that was a dark year for the PSRT. On Tue, Jun 20, 2017 at 3:35 PM, Victor Stinner <victor.stinner@gmail.com> wrote:
Hi,
Re: "[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)"
2017-02-24 5:36 GMT+01:00 Steven D'Aprano <steve@pearwood.info>:
I am not qualified to judge the merits of this, but it does seem worrying that (alledgedly) the Python security team hasn't responded for over 12 months.
Is anyone able to comment?
I don't have the archives of the PSRT mailing list and I'm not sure that I was subscribed when "the" email was sent. Does someone have the date of this email? It's to complete the new entry in my doc: http://python-security.readthedocs.io/vuln/urllib_ ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection
I don't want to blame anyone, I just want to collect data to help us to enhance our process to handle security vulnerabilities.
FYI I tried to take care of a few security vulnerabilities recently, and as expected, each issue is more tricky than expected :-)
While fixing http://bugs.python.org/issue30500 I noticed that urllib accepts newline characters in URLs. I don't know if it's deliberate or not... So I created a new issue http://bugs.python.org/issue30713
I updated expat from 2.1.1 to 2.2.0, but now the compilation fails in 2.7 on Windows with Visual Studio 2008. And just when I was done, expat 2.2.1 was released. I have to do the same job again :-)
Victor _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/ guido%40python.org
-- --Guido van Rossum (python.org/~guido)
Thank you. Now you can admire the beautiful timeline :-) http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_inject... Timeline using the disclosure date 2017-02-20 as reference: 2016-01-15 (-402 days): Reported (email sent to the PSRT list) 2017-02-20: Disclosure date (blog post, mail to oss-security) 2017-02-20 (+0 days): Python issue #29606 reported by ecbftw 2017-06-21 1:06 GMT+02:00 Guido van Rossum <guido@python.org>:
I think that the first email about this was received from Timothy D. Morgan on 1/15/16. You should be able to get confirmation of this from Christian Heimes. I think that was a dark year for the PSRT.
On Tue, Jun 20, 2017 at 3:35 PM, Victor Stinner <victor.stinner@gmail.com> wrote:
Hi,
Re: "[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)"
2017-02-24 5:36 GMT+01:00 Steven D'Aprano <steve@pearwood.info>:
I am not qualified to judge the merits of this, but it does seem worrying that (alledgedly) the Python security team hasn't responded for over 12 months.
Is anyone able to comment?
I don't have the archives of the PSRT mailing list and I'm not sure that I was subscribed when "the" email was sent. Does someone have the date of this email? It's to complete the new entry in my doc:
http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_inject...
I don't want to blame anyone, I just want to collect data to help us to enhance our process to handle security vulnerabilities.
FYI I tried to take care of a few security vulnerabilities recently, and as expected, each issue is more tricky than expected :-)
While fixing http://bugs.python.org/issue30500 I noticed that urllib accepts newline characters in URLs. I don't know if it's deliberate or not... So I created a new issue http://bugs.python.org/issue30713
I updated expat from 2.1.1 to 2.2.0, but now the compilation fails in 2.7 on Windows with Visual Studio 2008. And just when I was done, expat 2.2.1 was released. I have to do the same job again :-)
Victor _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/guido%40python.org
-- --Guido van Rossum (python.org/~guido)
participants (9)
-
Antoine Pitrou
-
Benjamin Peterson
-
Christian Heimes
-
Guido van Rossum
-
Martin Panter
-
nospam@curso.re
-
Steven D'Aprano
-
tritium-list@sdamon.com
-
Victor Stinner