Author vstinner
Recipients vstinner
Date 2017-11-20.14:15:17
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1511187317.56.0.213398074469.issue32085@psf.upfronthosting.co.za>
In-reply-to
Content
Vulnerabilities described below are likely these ones reported in bpo-30500, but it would be nice to double check if *all* reported vulnerabilities have been fixed!
http://python-security.readthedocs.io/vuln/bpo-30500_urllib_connects_to_a_wrong_host.html

--

At July 27, 2017, Orange Tsai (Security Consultant, DEVCORE) reported vulnerabilities in Python, in the code parsing URLs.

Conference: https://www.blackhat.com/us-17/briefings/schedule/#a-new-era-of-ssrf---exploiting-url-parser-in-trending-programming-languages-6292
Slides: https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

His following blog post only contains the vulnerabilities in Python:
http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html

Note: His twitter account, https://twitter.com/orange_8361


== Issue 1 ==

* CR-LF Injection on HTTP protocol
* Smuggling SMTP protocol over HTTP protocol


http://127.0.0.1:25/%0D%0AHELO orange.tw%0D%0AMAIL FROM
>> GET /
<< 421 4.7.0 ubuntu Rejecting open proxy localhost [127.0.0.1]
>> HELO orange.tw
Connection closed

=> "SMTP Hates HTTP Protocol It Seems Unexploitable"

"Gopher Is Good What If There Is No Gopher Support?"

"HTTPS What Won't Be Encrypted in a SSL Handshake?"


== Issue 2 ==

* HTTPS: What Won't Be Encrypted in a SSL Handshake?
* Exploit the Unexploitable - Smuggling SMTP over TLS SNI

https://127.0.0.1□%0D%0AHELO□orange.tw%0D%0AMAIL□FROM...:25/
(...)
>< HELO orange.tw
<< 250 ubuntu Hello localhost [127.0.0.1], please meet you
>> MAIL FROM: <admin@orange.tw>
<< 250 2.1.0 <admin@orange.tw>... Sender ok


== Big Picture ==

Python vulnerable to:

* Python httplib:

  * CR-LF Injection: Path, Host and SNI

* Python urllib: 

  * CR-LF Injection: Host and SNI
  * Host Injection

* Python urllib2

  * CR-LF Injection: Host and SNI
History
Date User Action Args
2017-11-20 14:15:17vstinnersetrecipients: + vstinner
2017-11-20 14:15:17vstinnersetmessageid: <1511187317.56.0.213398074469.issue32085@psf.upfronthosting.co.za>
2017-11-20 14:15:17vstinnerlinkissue32085 messages
2017-11-20 14:15:17vstinnercreate