Researchers have reported the existence of bugs in Java and Python which allows attackers to circumvent firewall defenses.
In two separate security advisories over the past week, researchers Alexander Klink and Blindspot Security's Timothy Morgan say the main vulnerability has occurred because Java does not verify the syntax of user names in its FTP protocol.
The connection to FTP servers does support authentication, but Java's XML eXternal Entity (XEE) does not check for the present of carriage returns (CR) or line feeds (LF) in usernames.
This, in turn, grants attackers the opportunity to terminate 'user' or 'pass' commands and inject new commands into the FTP session -- alongside arbitrary SMTP commands, as well as connecting remotely to servers to send unauthorized email.
"This attack is particularly interesting in a scenario where you can reach an (unrestricted, maybe not even spam- or malware-filtering) internal mail server from the machine doing the XML parsing," Klink says. "It even allows for sending attachments, since the URL length seems to be unrestricted and only limited by available RAM (parsing a 400MB long URL did take more than 32 GBs of RAM for some reason, though."
The vulnerability can also be exploited to parse malicious JNLP files, conduct man-in-the-middle (MiTM) attacks, or Server-Side Request Forgery (SSRF) campaigns.
According to Morgan, the Java bug, also known as an FTP protocol injection flaw, "allows one to fool a victim's firewall into allowing TCP connections from the Internet to the vulnerable host's system on any "high" port (1024-65535)."
In the case of Java, the attack can be carried out against desktop PC users -- even if they do not have the Java browser plugin enabled.
The researcher also says a "nearly identical" bug also exists in Python's urllib2 and urllib libraries. However, while the Java security flaw is not limited to attacks based on directory names listed in malicious URLs, the Python bug does appear to be limited in this manner.
Morgan says that vendors have so far failed to patch the bug, despite Python's security team being informed in January 2016 and Oracle's team being notified in November 2016.
The researcher recommends that both enterprise players and the general public should disable classic mode FTP by default and says that applications should be audited to ascertain whether or not they are vulnerable to these attacks.