There are issues in Java and Python that allow attackers to go around any firewall defenses, researchers said.
Two different researchers — Alexander Klink and Timothy Morgan of Blindspot Security – discussed a vulnerability they said occurred because Java does not verify the syntax of user names in its FTP protocol.
Despite the idea connecting to FTP servers can occur with authentication, Java’s XML eXternal Entity (XEE) doesn’t check for the present of carriage returns or line feeds in usernames, which poses a security threat.
Attackers can terminate “user” or “pass” commands, inject new commands into the FTP session and connect remotely to servers to send unauthorized email.
“FTP protocol injection allows one to fool a victim’s firewall into allowing TCP connections from the Internet to the vulnerable host’s system on any “high” port (1024-65535). A nearly identical vulnerability exists in Python’s urllib2 and urllib libraries. In the case of Java, this attack can be carried out against desktop users even if those desktop users do not have the Java browser plugin enabled,” Morgan said in a blog post.
As of Monday, the vendors did not patch the vulnerabilities.
The vulnerability can be exploited in several ways, including to parse malicious JNLP files, conduct man-in-the-middle attacks or engage in server-side request forgery campaigns.
The vendors have yet to patch the bug, despite the security teams of both companies being notified. Python learned of the issues in January 2016, while Oracle ended up informed about it this past November.
As for recommendations for the general public, Morgan said:
• Consider uninstalling Java from all desktop systems. If this is not possible due to legacy application requirements, disable the Java browser plugin from all browsers and disassociate the .jnlp file extension from the Java Web Start binary.
• Consider requesting an update to fix these issues from Oracle and the Python Software Foundation. Be sure to apply security updates to all versions of Java and Python, including those running on application servers and appliances.
• Disable classic mode FTP in all firewalls, allowing only passive mode.