Unpatched Java, Python Flaws Allow FTP Protocol Injection

• By John K. Waters
• February 22, 2017

Old vulnerabilities in both Java and Python that allow attackers to bypass firewalls and access local networks by injecting malicious commands inside FTP URLs resurfaced this week when two security researchers noticed that they remain unpatched.

Alexander Klink wrote about the Java bug in a blog post, in which he explained how the flaw could be used to send unauthorized e-mails from Java applications via the SMTP protocol, using Java's FTP handler to fool a firewall into allowing TCP connection from the Internet. This Java XML External Entity (XXE) attack works because the handler doesn't verify the syntax of the user name.

"The actual connection to the FTP server is implemented in sun.net.ftp.impl.FtpClient," Klink wrote. "It supports authentication, so we can put usernames and passwords in the URL such as in ftp://user:password@host:port/file.ext and the FTP client will send the corresponding USER command in the connection .... Guess what the JRE implementers forgot? Exactly -- to check for the presence of <CR> and <LF>. This means that if we put %0D%0A anywhere in the user part of the URL (or the password part for that matter), we can terminate the USER (or PASS) command and inject a new command into the FTP session."

The vulnerability allows an attacker to "speak SMTP instead of FTP" and send a USER command to a mail server instead of an FTP server. This means the attacker can send arbitrary SMTP commands, which allows him/her to send e-mails. The FTP connection fails, but the mail is already sent, Klink explained.

"This attack is particularly interesting in a scenario where you can reach an (unrestricted, maybe not even spam- or malware-filtering) internal mail server from the machine doing the XML parsing," he wrote.

Timothy Morgan cited Klink's report on the Java vulnerability on his Blindspot blog a few days later, and detailed a nearly identical vulnerability in Python's built-in URL-fetching libraries (urllib2 in Python 2 and urllib in Python 3).

The Python vulnerability appears to be limited to attacks via directory names specified in the URL, Morgan explained, but the Java is vulnerable to the FTP protocol injection via multiple fields in the URL. The username and any directory specified in the URL can allow the injection. "In the case of Java," Morgan added, "this attack can be carried out against desktop users even if those desktop users do not have the Java browser plugin enabled" (italics his).

Morgan offered four attack scenarios, the most "startling" of which is one that could be delivered through a Java Web Start application.

"If a desktop user could be convinced to visit a malicious website while Java is installed," he explained, "even if Java applets are disabled, they could still trigger Java Web Start to parse a JNLP file. These files could contain malicious FTP URLs which trigger this bug. A clever attacker could weaponize the exploit to identify the victim's internal IP address, determine the appropriate packet alignment, and then exploit the bug all in one shot. A clever implementation could even open many ports at once using a single JNLP file. Also note, that since Java parses JNLP files before presenting the user with any security warnings, the attack can be fully successful without any indication to the user (unless the browser itself warns the user about Java Web Start being launched)."

The vulnerability could also figure in a man-in-the-middle attack, server-side request forgery (SSRF), and the XXE attack, he said.

Morgan also said that he has developed an exploit script for this attack, but won't release it until Oracle and Python developers have corrected their FTP client code.

This FTP protocol injection vulnerability was first reported by Russian security lab ONsec back in 2014.