Burp Suite User Forum

Login to post

Burp Collaborator STARTTLS Plaintext Command Injection

Hannes | Last updated: Nov 03, 2020 04:29PM UTC

The following issue is being found by the Nessus vulnerability scanner, when the Burp collaborator server is scanned: https://www.tenable.com/plugins/nessus/52611 I was also able to verify this using a self compiled openssl version as descibed here: https://www.securityfocus.com/archive/1/516901/30/0/threaded Will this be addressed?

Uthman, PortSwigger Agent | Last updated: Nov 04, 2020 10:58AM UTC

Hi Hannes, I have just discussed this with our security research team. Please take a look at the reply below: The Collaborator server runs a fake email server with minimal command support and a very simple state machine. This means that most classic mail server vulnerabilities don't apply to it. In this case, Nessus/openssl correctly identify that we process commands after the STARTLS command but there's no security impact, as no useful commands are supported. It was formerly possible to inject a plaintext collaborator ID and use that to steal collaborator interactions via an MITM. This was disclosed to us privately via our bug bounty program, and patched in the following release: https://portswigger.net/burp/releases/professional-community-2020-9-2 We may issue an update in the future just to prevent Nessus' false positive.

Uthman, PortSwigger Agent | Last updated: Nov 05, 2020 10:00AM UTC

There is further information in this report: https://hackerone.com/reports/953219.

You need to Log in to post a reply. Or register here, for free.