Newly disclosed FTP injection vulnerabilities in Java and Python that are fueled by rather common XML External Entity (XXE) flaws carry the potential to expose sensitive systems to attack.
Details about both issues were publicly disclosed this week, but private notifications were made to the Python security team and Oracle in January and November 2016 respectively. Neither vendor has patched the flaws, though the Python team confirmed the bug, while Oracle has told one of the researchers involved that it is working on a fix. The next Oracle Critical Patch Update is scheduled for April 18.
German researcher Alexander Klink found a vulnerability in Java’s FTP URL handling code that allows protocol stream injection. This flaw could be used to leverage an existing XXE or server side request forgery (SSRF) vulnerability to send unauthorized email from Java applications over SMTP.
Researcher Timothy Morgan built on Klink’s findings and found that he could leverage the XXE bugs to trick the firewall into allowing TCP connections.
“So in the specific case where a database is deployed on the application server, one XXE bug could get you credentials to the database and then direct access to that service, leading to complete compromise the application,” Morgan told Threatpost.
“If the database isn’t running on the same host, that attack wouldn’t work, but often other sensitive things are running on application servers, such as internal Redis caches, memcached caches, RabbitMQ data queues, Tomcat administrative interfaces, and so on,” Morgan said. “In a variety of specific cases, exposure of those services along with XXE would be a huge risk for an application’s integrity overall.”
Klink wrote in a report published last Saturday that he discovered how to force a Java client to start a FTP connection and abuse its lack of input validation around its support of usernames and passwords in FTP URLs. The FTP spec deems that usernames accept ASCII characters except for carriage returns and line feeds, however, implementations do not check for the presence of either command. Klink said that he was able to terminate the USER or PASS command and inject a new command into the FTP session. By doing so, there was an interesting consequence: since the protocols are structurally similar, he was able to leverage SMTP instead of FTP.
“So, if we send a USER command to a mail server instead of a FTP server, it will answer with an error code (since USER is not a valid SMTP command), but let us continue with our session,” Klink said. “Combined with the bug mentioned above, this allows us to send arbitrary SMTP commands, which allows us to send emails.”
Morgan, meanwhile, found something potentially worse where an FTP protocol injection allows an attacker to trick the victim’s firewall into allowing TCP connections from the Internet to the host system on any port between 1024 and 65535. He said a vulnerability nearly identical to that one in Java also exists in Python’s urllib2 and urllib libraries.
“It is a tricky bug to estimate risk on because there are so many different ways to trigger it. Each of those ways doesn’t impact a large number of users, but they add up,” Morgan said. “It is important for those impacted to understand the risk in the context of their own networks and applications. The synergy between different technical tricks in the XXE/SSRF realm is really where the power of these attacks comes from. Each little trick seems small in impact, but when you combine them, very bad things happen.”
Morgan published a report on the vulnerabilities this week that describes a number of attack scenarios that would allow an attacker to bypass firewall settings and attack underlying systems. His attacks exploit the same lack of carriage return and line feed filtering to inject malicious, and can be pulled off, for example, by causing Java Web Start to parse JNLP files containing malicious FTP URLs and trigger the vulnerability. Morgan said this attack can happen if a desktop user visits a malicious site if Java is installed, even if Java applets are disabled.
“In the case of desktop users, a huge number of users are likely impacted by the Java Web Start attack scenario. The attack scenario is that a user is lured to a web page which pushes a .jnlp file on them. (Some browsers may provide a minimal warning about Java Web Start being launched, but this varies by browser and I haven’t tested them all.),” Morgan said. “Once Java Web Start runs, it immediately triggers the communications that open up TCP ports back to the user’s desktop (without any additional security warning). Are there any services on your desktop’s TCP ports 1024-65535 that you really don’t want an attacker to have access to? The risk of this varies widely depending on OS and patch levels.”
Morgan describes other attacks using XXE, SSRF, or man-in-the-middle attacks, all of which allow an attacker to inject code into the stream.
Morgan said this would not be a difficult vulnerability to patch.
“My reading of the FTP specification indicates there is no way to provide a file or directory name that includes literal newline characters (despite these characters being allowed in UNIX filesystems). So it makes sense to simply reject them,” Morgan said. “That is, after Python and Java decode the FTP URL, they should perform a simple input validation step to ensure no unsupported characters (“\r\n\0″ and any others) exist, and the throw an exception if they do appear.”