the stream

ftp protocol stream injection with Java and Python URL handling code

Alexander Bochmann Sunday 26 of February, 2017
Abusing FTP protocol inspection on firewalls to make them open arbitrary ports is an old game (and you should really disable that for "active" ftp data channel negotiation), but here's a new combination of attack vectors:

It's possible to create ftp:// URLs that contain additional FTP commands, which then get picked up by protocol inspection (Linux conntrack for example, but other implementations seem to use similar heuristics) to create inbound port forwardings. Java and Python protocol handlers don't sanitize input to remove such command injections, so if you find a setup suspectible to SSRF or XXE vulnerabilities, it might be possible to inject appropriately manipulated URLs.

Full writeup here: Blindspot Advisory: Java/Python FTP Injections Allow for Firewall Bypass .

(Via Oluf Lorenzen on G+.)