Jump to content

Java and Python Plagued by Bug Allowing Attackers to Avoid Firewalls


WALLONN7

Recommended Posts

The vendors were told about the problem and have yet to patch things up, leaving the door open to attackers

http://i1-news.softpedia-static.com/images/news2/java-and-python-plagued-by-bug-allowing-attackers-to-avoid-firewalls-513149-2.jpg
 

It seems that security researchers have found some bugs in Java and Python which allow attackers to go around any firewall defenses. 

 

Over the past few days, two different researchers - Alexander Klink and Timothy Morgan of Blindspot Security - expressed their concern over a new vulnerability they say occurred because Java does not verify the syntax of user names in its FTP protocol. Despite the fact that connecting to FTP servers can be done with authentication, Java's XML eXternal Entity (XEE) doesn't check for the present of carriage returns or line feeds in usernames, which poses a security threat.

Attackers can terminate "user" or "pass" commands, inject new commands into the FTP session and connect remotely to servers in order to send unauthorized email.

"FTP protocol injection allows one to fool a victim's firewall into allowing TCP connections from the Internet to the vulnerable host's system on any "high" port (1024-65535). A nearly identical vulnerability exists in Python's urllib2 and urllib libraries. In the case of Java, this attack can be carried out against desktop users even if those desktop users do not have the Java browser plugin enabled," Morgan writes.

The vulnerability can be exploited in several ways, including to parse malicious JNLP files, conduct man-in-the-middle attacks or engage in server-side request forgery campaigns.

Delayed response

The vendors have yet to patch the bug, despite the security teams of both companies being notified. Python was informed of the issues in January 2016, while Oracle was told about it in November 2016, indicating just how long the researchers waited before exposing the problem to the world. Hopefully, now that it's all public, the two vendors will actually patch things up in order to avoid a wave of attacks using these particular bugs.

The recommendation, until then, is for both enterprise players and the general public to disable classic mode FTP by default.

 

Source

Link to comment
Share on other sites


  • Views 440
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...