Flaw Discovered In Python And Java Is Trending Now.
The two most popular programming language, Java and Python used by more than millions of programmers around the world contain similar security bug Protocol Injection Flaw that can be exploited to send unauthorized emails and bypass any firewall defense.
And the most danger part is the flaws are still unpatched, an attacker can take advantage to develop a malicious attack on networks and infrastructures.
Python and Java are the most used programming language used by programmers, security researchers and infrastructures around the world this flaw can make them open for cyber attack.
The flaw is residing in the way Java and Python programming language handle File Transfer Protocol (FTP) links.
Protocol Injection Flaw, A flaw that doesn’t check the syntax of the username parameter.
In a blog post published, security researcher Alexander Klink demonstrated how the FTP protocol injection vulnerability in Java’s XML eXternal Entity that allows attackers to inject non-FTP malicious commands inside an FTP connection request.
Alexander demonstrated how to send an unauthorized email via SMTP (Simple Mail Transfer Protocol) in an FTP connection attempt successfully, even though the FTP connection fails, as FTP server does support authentication, but never check for the present of carriage returns (CR) or line feeds (LF) in usernames.
Statement — “This attack is particularly interesting in a scenario where you can reach an (unrestricted, maybe not even spam- or malware-filtering) internal mail server from the machine doing the XML parsing,” Alexander concluded.
Easily Exploitable Protocol Injection Flaw
The researcher warned that his exploit can be used for man-in-the-middle attack(MIMT) attacks, server-side forgery(SSRF), and XEE and more once the firewall is bypassed, the victim can be attacked even they don’t have Java installed on their personal machine.
All the attacker needs to make a user into accessing malicious Python or Java applications installed on a server to bypass the entire firewall and this can be easily done by social engineering.
Statement — “If a desktop user could be convinced to visit a malicious website while Java is installed, even if Java applets are disabled, they could still trigger Java Web Start to parse a JNLP (Java Network Launch Protocol) file,” Morgan said. “These files could contain malicious FTP URLs which trigger this bug.”
Statement — “Also note, that since Java parses JNLP files before presenting the user with any security warnings, the attack can be entirely successful without any indication to the user (unless the browser itself warns the user about Java Web Start being launched).”
Java/Python FTP Injections Allow to Bypass Firewall
Two days later, a separate researcher security advisor, security researchers Timonthy Morgan from Blindspot Security came forward with his research, showing how FTP URL handler in both Java and Python can be used to bypass Firewall.
Morgan said FTP protocol injection flaw could be used to trick victim’s firewall into accepting TCP connection from the web to the vulnerable system on its “high ports” (from 1024 to 65535).
Classic mode FTP- an old insecure mechanism of client-server FTP interaction is also supported by many Firewall vendors by default. When the classic FTP mode connection is established somewhat between (1024 and 65535 ), the firewall opens a temporary port and here the security issue.
Using the FTP protocol injection flaw in Java and Python, an attacker who knows the targeted victim internal IP and as an hackers point of view knowing internal IP is not so hard, once the classic FTP mode established, the attacker could use it for malicious purpose.
An attacker can open up a port in the victim firewall with only three requests demonstrated by Morgan:
- Identify the victim’s internal IP address – attacker can send a special crafted “URL”, see how the client behaves, then try another until the attack is successful.”
- Determine packet alignment and ensuring the command injection works, the attacker will able to penetrate into victim machine.
- Exploit the vulnerability.
Each additional request can be used to open up another TCP port
The flaw exists in Python’s urllin2 and urllib libraries,” this injection appears to be limited to attacks via directory names specified in the URL.” According to Morgan.
Protocol Injection Flaw Is Still Unpatched
The flaw was reported to the Python team in January 2016 Oracle in November 2016 by his company, but the bad news is that they aren’t interested in patching the issue.
Morgan has developed a proof-of-concept (PoC) exploit but holding it until Oracle and Python respond to the disclosure and release patches.
The flaw is been tested by Morgan against Palo Alto Networks and Cisco ASA firewalls, Morgan also believes that many other firewalls are also vulnerable to FTP stream injection attacks.
Morgan suggests user uninstall Java from their personal computer and browsers, as well as disable support for “classic mode” FTP on all firewalls. until patched becomes available by the company.