14 DAY TRIAL // It seems that security researchers have found some bugs in Java and Python which allow attackers to go around any firewall defenses.
Over the past few days, two different researchers - Alexander Klink and Timothy Morgan of Blindspot Security - expressed their concern over a new vulnerability they say occurred because Java does not verify the syntax of user names in its FTP protocol. Despite the fact that connecting to FTP servers can be done with authentication, Java's XML eXternal Entity (XEE) doesn't check for the presence of carriage returns or line feeds in usernames, which poses a security threat.
Attackers can terminate "user" or "pass" commands, inject new commands into the FTP session, and connect remotely to servers in order to send unauthorized email.
"FTP protocol injection allows one to fool a victim's firewall into allowing TCP connections from the Internet to the vulnerable host's system on any 'high' port (1024-65535). A nearly identical vulnerability exists in Python's urllib2 and urllib libraries. In the case of Java, this attack can be carried out against desktop users even if those desktop users do not have the Java browser plugin enabled," Morgan writes.
The vulnerability can be exploited in several ways, including to parse malicious JNLP files, conduct man-in-the-middle attacks, or engage in server-side request forgery campaigns.
Delayed response
The vendors have yet to patch the bug, despite the security teams of both companies being notified. Python was informed of the issues in January 2016, while Oracle was told about it in November 2016, indicating just how long the researchers waited before exposing the problem to the world. Hopefully, now that it's all public, the two vendors will actually patch things up in order to avoid a wave of attacks using these particular bugs.
The recommendation, until then, is for both enterprise players and the general public to disable classic mode FTP by default.