Unpatched Python and Java Flaws Let Hackers Bypass Firewall Using FTP Injection

February 21, 2017

This newly discovered bugs in Java and Python is a big deal today.

The two popular programming languages, Java and Python, contain similar security flaws that can be exploited to send unauthorized emails and bypass any firewall defenses.

And since both the flaws remain unpatched, hackers can take advantage to design potential cyber attack operations against critical networks and infrastructures.

The unpatched flaws actually reside in the way Java and Python programming languages handle File Transfer Protocol (FTP) links, where they don’t syntax-check the username parameter, which leads to, what researchers call, protocol injection flaw.

In a blog post published over the past week, security researcher Alexander Klink detailed the FTP protocol injection vulnerability in Java’s XML eXternal Entity (XXE) that allows attackers to inject non-FTP malicious commands inside an FTP connection request.

To demonstrate the attack, Alexander showed how to send an unauthorized email via SMTP (Simple Mail Transfer Protocol) in an FTP connection attempt, even though the FTP connection failed, as FTP servers does support authentication, but doesn’t check for the present of carriage returns (CR) or line feeds (LF) in usernames.

“This attack is particularly interesting in a scenario where you can reach an (unrestricted, maybe not even spam- or malware-filtering) internal mail server from the machine doing the XML parsing,” Alexander concluded.

Java/Python FTP Injections Allow to Bypass Firewall

However, two days later in a separate security advisory, security researcher Timothy Morgan from Blindspot Security came forward with his findings, showing more threatening exploitation scenario where the FTP URL handlers in both Java and Python can be used to bypass firewalls.

Morgan said such FTP protocol injection flaw could be used to trick a victim’s firewall into accepting TCP connections from the web to the vulnerable host’s system on its “high” ports (from 1024 to 65535).

Besides the FTP protocol injection attack, there’s reside a decade old security issue in FTP protocol called classic mode FTP – an insecure mechanism of client-server FTP interactions, but many firewall vendors still support it by default.

When a classic mode FTP connection is initiated, the firewall temporarily opens a port – typically between 1024 and 65535 – specified in the PORT command, which introduces security risks.

Read full story…