The Python and Java runtimes have failed to properly validate the FTP URLs. This can potentially allow the attackers to pass through the firewalls and access local networks.
On last Saturday, Alexander Klink, a security researcher has disclosed an interesting attack in which exploiting an XXE (XML External Entity) vulnerability in Java application is used to send emails.
These XXE vulnerabilities are exploited by tricking applications into parsing specially crafted XML files which would force XML parser to leak the sensitive information like directory listings, files, or even information about the running processes on the server.
Klink also showed that the very same type of vulnerabilities can also be used to trick Java runtime to initiate the FTP connections to the remote servers by feeding it’s FTP URLs in form of ftp://user:[email protected]:port/file.ext.
But, turns out that the default built-in implementation of FTP client in Java does not filter out the special CR (carriage return) and the LF (line feed) characters from the URLs and also interprets them.
By the insertion of such characters in the user or the password portions of the FTP URL, Java FTP client can be tricked to execute some rogue commands and can also be tricked to speak SMTP because the syntax for SMTP and FTP are very similar.
Klink also showed that by exploiting the XXE vulnerability and this power in Java’s FTP client implementation, a malicious attacker could force a Java app to send emails to an SMTP server of his interest.
“This attack is particularly interesting in a scenario where you can reach an (unrestricted, maybe not even spam- or malware-filtering) internal mail server from the machine doing the XML parsing,” Klink said in a blog post.
After seeing Klink’s exploit, Timothy Morgan, a researcher with Blindspot Security, decided to disclose a similar attack that works against both Java’s and Python’s FTP implementations.