A vulnerability has been found in Java and Python runtimes that fails to validate FTP URLs and lets attackers bypass any firewalls on a system by leveraging existing XXE (XML External Entity) or SSRF (Server Side Request Forgery) vulnerabilities.
First discovered by security researcher Alexander Klink, the issue within the FTP URL handling code allows attackers to send unauthorised emails from Java applications via the SMTP protocol. “This attack is particularly interesting in a scenario where you can reach an (unrestricted, maybe not even spam- or malware-filtering) internal mail server from the machine doing the XML parsing,” Klink writes in a blog post.
The security researcher revealed that the XXE vulnerability could deceive applications to parse any malicious XML files that can discover information such as files stored, directory listed or the number of processes running on a particular server. Similarly, the attackers can initiate an FTP connection to a remote server by sending FTP URLs in the form of ftp://user:password@host:port/file.ext.
Though passing a user command to a mail server instead of FTP server will answer with an error code, Klink found that an attacker can even gain access to continuing the existing session.
Based on the research made by Klink, Timothy Morgan, a researcher with Blindspot Security spotted the presence of the similar issue on Python. Morgan considers his finding limited to attacks via directory names in the URL.
“Python’s built-in URL fetching library (urllib2 in Python 2 and urllib in Python 3) is vulnerable to a nearly identical protocol stream injection, but this injection appears to be limited to attacks via directory names specified in the URL,” Morgan writes in a separate blog post.
There are multiple attack scenarios that could comprise data through a Java application. Morgan highlights that the attackers can parse a JNLP file or use man-in-the-middle attack through an HTTP redirect. Likewise, there could an SSRF or XXE.
Unpatched loopholes
Morgan confirmed that the issues within Java and Python runtimes are yet to be patched by the associated vendors. However, you can protect your precious data by disabling classic mode FTP in all firewalls and allowing only passive mode. You can also uninstall Java from your desktop systems or just disable the Java browser plugin and disassociate the .jnlp file extension from the Java Web Start library to avoid any uncertain instance.