Security researcher Alexander Klink revealed information about hackers’ usage of XML External Entity vulnerability in a Java application that can lead to disclosing essential information like files, server processes or directory listings.
This works in such a way: contrived XML file interacts with XML parser making it share sensitive data, and thus hackers get access to local network. One of the modalities of this approach is the initiation of FTP connection to remote servers by defrauding Java runtime.
It becomes possible once Java’s FTP client does not filter out carriage return and line feed and if to add these characters to password or user name of an FTP URL, Java FTP server will give hackers a possibility to make certain commands and even get access to Simple Mail Transfer Protocol. As a result, hackers can even send emails through Java apps to the SMTP server.
In case if hackers manage to reach internal mail server, the consequences may be plaintive.
A researcher with Blindspot Security, Timothy Morgan, moved the experiment even further and managed to attack both Java and Python FTP implementations. In case if CRLF filtering is absent, the hacker can inject false FTP commands and get access to necessary data with the help of the faulty URLs: TCP port gets connected to a remote server through a data channel.
It is especially true for Linux-based SPI firewalls that automatically create a connection between TCP port and FTP server when they receive a PORT command whoever and whenever it was sent. On the one hand, this security issue has been known to developers for a long time already, and they improve a Linux set of tools with additional protection that ensures double check of all commands to guarantee that all of them come from the client.
On the other hand, that creates two manageable problems. The hacker has to find out internal IP address (thus, he can spoof a PORT command) and channel necessary TCP packages to interrupt the connection between user and server and be able to send the required command – and it turns out that this issue is not as difficult as it may seem.
Blindspot Security expert has managed to solve the problems hackers may face with the help of protocol stream injection. Until Oracle and Python find a way to secure their FTP client code, he is not going to reveal the content of the created exploit. The method he used is based on the attacks aimed to open one TCP port at a time, and one opening is accomplished by only three Server Side Request Forgeries.
Possibilities that hackers get through this exploit are tremendous: if there is Java on their computer, it can work the way through to the system simply by using Java Web Start application. In addition, even in case if all Java apps are disabled on a user’s computer when he visits a website with Java malware, it instigates Java Web Start to parse a JNLP file that allows fraudulent FTP URLs do their work.
Timothy Morgan tested different attacks against commercial and custom firewalls, and the results prove that protocol stream injections in almost all cases are the most vulnerable spot.
How to protect your local network and sensitive data? Now Java and Python developers work to find a solution to fix this bug, but until the problem is solved, it is advised to disable classic mode FTP translation by default. Also, disabling (or even uninstalling) Java from the system could be a sound solution. If you do not want to take such serious steps, consider disassociating the .jnlp file extension from the Java Web Start binary.