Java and Python have unpatched firewall-crossing FTP SNAFU

Share this…

This gets interesting when you find your way into a mail server, says dev who found it.

Stop us if you’ve heard this one: Java and Python have a bug you can exploit to cross firewalls. Since neither are yet patched, it might be a good day to nag your developers for a bit.

The Java vulnerability means protocol injection through its FTP implementation can fool a firewall into allowing TCP connections from the Internet to hosts on the inside.

That’s explained in rather more detail in two documents: this, by Alexander Klink, and this, by Blindspot Security’s Timothy Morgan.

Klink’s discovery was that Java’s XML eXternal Entity (XEE) mishandles FTP connections, because it doesn’t syntax-check the username Java passes to a server.

Specifically, cr and lf should be rejected but aren’t, allowing non-FTP commands to be injected into a connection request. Klink’s demonstration showed how to send an SMTP e-mail in an FTP connection attempt (even though the FTP connection failed).

EHLO a<CR><LF>

MAIL FROM:<a@example.org><CR><LF>

RCPT TO:<alech@alech.de><CR><LF>

DATA<CR><LF>

From: a@example.org<LF>

To: alech@alech.de<LF>

Subject: test<LF>

<LF>

test!<LF><CR><LF>

.<CR><LF>

QUIT<CR><LF>

It gets worse

Klink concluded that “this attack is particularly interesting in a scenario where you can reach an (unrestricted, maybe not even spam- or malware-filtering) internal mail server from the machine doing the XML parsing.”

Morgan’s contribution was the realisation that the same behaviour can get an attacker through a firewall on its high ports (from 1024 to 65535), in a multi-stage process:

  1. Get an internal IP address – this, Morgan says, is easy: “send a URL, see how the client behaves, then try another until the attack is successful”; and
  2. Packet alignment – this is the “secret sauce” that makes the attack work. FTP is synchronous, meaning each side waits for a response to each individual line they send. If you get this wrong, the attack fails.

Morgan says he’s holding back publication of a proof-of-concept script until Oracle (and Python’s developers – more on this below) respond to the disclosure.

However, he envisages his exploit can be used for MITM attacks, server-side request forgery, an XEE attack and more – and once past the firewall, desktop hosts can be attacked even if they don’t have Java installed.

Python, he writes, is similarly vulnerable through its urllib and urllib2 libraries, however “this injection appears to be limited to attacks via directory names specified in the URL”.

By way of mitigation, Morgan suggests disabling Java on desktops and in browsers; and disabling “classic mode” FTP on all firewalls.

Source:https://www.theregister.co.uk/