Security Experts:

Unpatched Flaws in Python, Java Allow Firewall Bypass

Unpatched vulnerabilities related to how Java and Python handle file transfer protocol (FTP) URLs can be exploited for various purposes, including for sending unauthorized emails and bypassing firewalls, researchers warned.

In a blog post published over the weekend, Alexander Klink showed how XML external entity (XXE) and server-side request forgery (SSRF) vulnerabilities can be exploited to send emails via SMTP (Simple Mail Transfer Protocol) commands using specially crafted FTP URLs.

Klink’s attack method relies on Java XML parsers and the expert believes it can be particularly useful for scenarios where the attacker has access to an internal mail server from the system that does the XML parsing. The researcher showed how a specially crafted FTP URL can be used to send emails, including ones with attachments.

However, according to Blindspot Security’s Timothy Morgan, the attack method can be used for more than just sending emails. Furthermore, in addition to Java’s FTP URL handling code, a similar vulnerability affects Python’s urllib and urllib2 libraries.

After seeing Klink’s blog post, Morgan also published an advisory describing his findings. He pointed out that such FTP injections can be used to trick a firewall into accepting TCP connections from the Web to the vulnerable system on a specified port.

When a classic mode FTP connection is initiated, the firewall needs to temporarily open a port – typically between 1024 and 65535 – specified in the PORT command. This has been known to introduce security risks for well over a decade, but many firewall vendors still support classic mode FTP by default.

Using the vulnerability, an attacker who knows the targeted host’s internal IP address can inject a malicious PORT command into the stream and open an arbitrary port. The challenge is to determine the victim’s IP address and ensure that the PORT command is sent at the beginning of a packet.

Morgan has determined that an attacker can open up one port in the targeted firewall with only three requests: one to identify the victim’s internal IP, one to determine packet alignment and ensure that the PORT command is injected at the right moment, and one to actually exploit the vulnerability. Each additional request can be used to open up another TCP port.

There are several methods that can be used to exploit the flaw, including via man-in-the-middle (MitM), SSRF and XXE attacks. The most “startling” attack scenario, according to Morgan, involves JNLP (Java Network Launch Protocol) files.

“If a desktop user could be convinced to visit a malicious website while Java is installed, even if Java applets are disabled, they could still trigger Java Web Start to parse a JNLP file. These files could contain malicious FTP URLs which trigger this bug,” Morgan explained. “Also note, that since Java parses JNLP files before presenting the user with any security warnings, the attack can be fully successful without any indication to the user (unless the browser itself warns the user about Java Web Start being launched).”

Python developers were notified about the issue more than one year ago, and Oracle was provided the details of the attack method in November. However, the issue still hasn’t been addressed in either Java or Python.

Morgan has developed a proof-of-concept (PoC) exploit, but it will only be made public after Oracle and Python release patches.

The method has been tested against Palo Alto Networks and Cisco ASA firewalls, but experts believe many commercial firewalls are vulnerable to FTP stream injection attacks.

Until patches become available, attacks can be prevented by uninstalling Java and by disabling classic mode FTP in firewalls.

Related: Oracle Patches 270 Vulnerabilities Across Product Portfolio

Related: Flaw in Schneider Industrial Firewalls Allows Remote Code Execution

Related: Firewall Vendors Analyze Exploits Leaked by "Shadow Brokers"

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.