Both Java and Python contain similar security flaws that allow an attacker to bypass firewalls by injecting malicious commands inside FTP URLs.
The problems arise from the way Java and Python (through the urllib2 library in Python 2 and urllib library in Python 3) handle FTP links, which allow the attacker to inject newline (CRLF) characters inside the URL, making the Java and Python code think some parts of the URL are new commands. This leads to a flaw that security researchers call "protocol injection."
The FTP protocol injection issue was first detailed by Russian security lab ONsec in 2014, but never got the public attention it needed. Two recent reports have raised the profile of this flaw, describing two new exploitation scenarios.
Security researcher Alexander Klink detailed on his blog how the FTP protocol injection flaw could be used to send emails using Java's FTP URL handler.
Two days later, Timothy Morgan of Blindspot Security came forward and presented a more ominious exploitation scenario where the FTP URL handlers in Java and Python could be used to bypass firewalls.
Morgan also revealed that his company informed both the Python team (in January 2016) and Oracle (in November 2016) about the FTP protocol injection flaw, but neither have issued updates to address the reported problem.
At the heart of the FTP protocol injection attack resides an older issue in the FTP protocol itself, which is classic mode FTP.
The classic mode FTP is an older mechanism that governs how FTP clients and servers interact, which was proved to be insecure in issue #60 of the Phrack hacking magazine and later detailed in more depth by Florian Weimer.
Classic mode FTP has been replaced by a more secure method of client-server FTP interactions known as passive mode FTP. Nevertheless, most firewall products support classic mode FTP connections.
The FTP protocol injection issue in Java and Python can be leveraged to start a classic mode FTP connection, whitelisted by most firewalls, which attackers can use for nefarious purposes.
According to Morgan, the entire firewall bypass attack relies on convincing users to access a malicious Java or Python applications installed on a server.
For Java attacks, users must have Java installed locally, but the attack will work even if Java applets are disabled in the user's browser. This is because the Java client will read JNLP (Java Network Launch Protocol) files before doing anything else.
"Java parses JNLP files before presenting the user with any security warnings," Morgan explains. "[T]he attack can be fully successful without any indication to the user (unless the browser itself warns the user about Java Web Start being launched)."
The attacker only needs to put a malicious FTP URL inside a JNLP file sent to users when they access a Java web app. Multiple FTP URLs can be placed inside a JNLP file, allowing the attacker to execute multiple or staged attacks.
Morgan says he successfully tested attacks against Linux-based firewalls, including commercial products sold by Cisco and Palo Alto Networks. He suspects that many other firewall products that work on a Linux derivate OS might be vulnerable as well.
Morgon said he'll release proof-of-concept code so sysadmins can test firewalls after Oracle and Python fix the reported problems.
The researcher has published a series of recommendations on how to handle this issue until Oracle and the Python team fix their problems: