Android Century
  • Home
  • Android Zone
    • Android Apps
    • Android Games
    • Apps APk Files
    • Games Apk Files
    • Apps Hack Tricks
  • Reviews
  • Fantasy Zone
    • Entertainment
    • Quotes and Status
    • Life Style
    • Home Made Tips
    • Hair Care
    • Skin Care
    • Fantasy Tips
  • Tricks
    • Free Recharge
    • Free Internet
    • shopping Cashback
    • Recharge Cashback
  • Tech
  • Mobiles
  • Gadgets
  • News
  • How To's
  • Software
Breaking
Loading...

Featured post

How to Take Great Photos With Apple's iPhone X

Recent Posts

Labels

  • Android Apk Files
  • Android Apps
  • Android Games
  • Apps Apk Files
  • Entertainment
  • Fantasy Tips
  • Gadgets
  • Hair Care
  • HomeMade Tips
  • How To's
  • News
  • Quotes
  • Quotes & Status
  • Recharge Cashback
  • Recharge Promo Codes
  • Shopping Cashback
  • Technology
  • skin care
Home / News / Here Java and Python FTP attacks can punch holes through firewalls

Here Java and Python FTP attacks can punch holes through firewalls

Latest Govt. Jobs 21:53:00 News Edit
FTP protocol stream injection attacks put networks and users at risk.

The Java and Python runtimes fail to properly validate FTP URLs, which can potentially allow attackers to punch holes through firewalls to access local networks.
On Saturday, security researcher Alexander Klink disclosed an interesting attack where exploiting an XXE (XML External Entity) vulnerability in a Java application can be used to send emails.
XXE vulnerabilities can be exploited by tricking applications to parse specially crafted XML files that would force the XML parser to disclose sensitive information such as files, directory listings, or even information about processes running on the server.
[ Further reading: How the new age of antivirus software will protect your PC ]
Klink showed that the same type of vulnerabilities can be used to trick the Java runtime to initiate FTP connections to remote servers by feeding it FTP URLs in the form of ftp://user:password@host:port/file.ext.
However, it turns out that the built-in implementation of the FTP client in Java doesn't filter out special CR (carriage return) and LF (line feed) characters from URLs and actually interprets them.
By inserting such characters in the user or password portions of an FTP URL, the Java FTP client can be tricked to execute rogue commands and can even be tricked to speak SMTP (Simple Mail Transfer Protocol) because the syntax for SMTP and FTP is similar.
Klink showed that by exploiting an XXE vulnerability and this quirk in Java's FTP client implementation, an attacker could force a Java application to send emails to an SMTP server.
"This attack is particularly interesting in a scenario where you can reach an (unrestricted, maybe not even spam- or malware-filtering) internal mail server from the machine doing the XML parsing," Klink said in a blog post.
After seeing Klink's exploit, Timothy Morgan, a researcher with Blindspot Security, decided to disclose a similar attack that works against both Java's and Python's FTP implementations. But his attack is more serious because it can be used to punch holes through firewalls.
Morgan calls the attack "FTP protocol stream injection via malicious URLs" and it also involves injecting rogue FTP commands by exploiting the absence of CRLF filtering.
However, instead of injecting SMTP commands, Morgan abuses the FTP PORT command to trick the client into opening a data channel to a remote FTP server on a specific TCP port.
As the researcher points out, many Linux-based stateful packet inspection (SPI) firewalls, including commercial ones, support the classic mode of FTP translation and will automatically open a TCP port and forward it to an FTP client's LAN IP if they detect a PORT command in FTP traffic originating from that client.
This attack vector has been known for many years, which is why the developers of conntrack, a Linux set of tools that most firewalls use, have added an additional check. A port will only be opened if the PORT command appears at the very beginning of a TCP packet, to ensure that the client actually sent the command.
This poses a would-be attacker with two problems: first, discover the client's internal IP address in order to be able to spoof a PORT command, and then, align the TCP packets between the client and the server so that the spoofed PORT command falls at the beginning of a packet.
Morgan has found a way to do both of these things through his FTP protocol stream injection attack and claims to have developed a proof-of-concept exploit that he doesn't plan to release publicly until Oracle and Python correct their FTP client code.
"The entire attack (including the request used to determine the victim's internal IP) is typically accomplished with just three SSRF (Server Side Request Forgery) attacks to open up one TCP port," he said in a blog post Monday. "Each additional SSRF attack could open up one additional TCP port."
There are multiple ways to exploit this issue, including using it against users with Java installed on their computers. Users don't even need to execute a malicious Java applet, because the exploit can be delivered through a Java Web Start application.
"If a desktop user could be convinced to visit a malicious website while Java is installed, even if Java applets are disabled, they could still trigger Java Web Start to parse a JNLP file," Morgan said. "These files could contain malicious FTP URLs which trigger this bug."
Attackers could also target servers where Java applications run by abusing a man-in-the-middle position on the network or by exploiting SSRF or XXE vulnerabilities in those applications.
Morgan said he tested this attack against a custom Linux firewall running a recent kernel, as well as against firewalls from Palo Alto Networks and Cisco Systems that proved to be vulnerable under default settings.
"While testing of commercial firewalls has been very limited at this point, it seems likely that a significant percentage of production firewalls in the world are susceptible to attack through FTP protocol stream injections," he said.
The Java and Python developers have been notified of this problem, but until they fix their FTP client implementations, the researcher advises firewall vendors to disable classic mode FTP translation by default.
Users should uninstall Java from their systems, or at least disable the browser plug-in and disassociate the .jnlp file extension from the Java Web Start binary. Meanwhile, Java and Python applications should be audited for SSRF and XXE flaws. However, XML parsing in Java is currently vulnerable by default, making XXE vulnerabilities very common on that platform, Morgan said.
Share on Facebook Share on Twitter Share on Google Plus

RELATED POSTS


Vodafone partners with Tecno to off...

LG G7 with iPhone X-like notch

Oppo F7 India launch confirmed
Here Java and Python FTP attacks can punch holes through firewalls Here Java and Python FTP attacks can punch holes through firewalls Reviewed by Latest Govt. Jobs on 21:53:00 Rating: 5

0 comments:

Post a Comment

Newer Post Older Post Home
Subscribe to: Post Comments ( Atom )

Search This Blog

TEST BOOK FOR GOVT ENTRANCE TEST

TEST BOOK FOR GOVT ENTRANCE TEST
Find All Latest book for preparation of SSC,RAILWAYBANK PO,RBI,BANK CLERK,GATE ME,GATE CE are available here in less prices, to check out the books click here

Translate

  • Popular Post
  • Random posts
  • Category

Popular Posts

  • Teen Patti Offer 2018: Refer and Earn Flipkart Vouchers Free
    Teen Patti Offer 2018: Refer and Earn Flipkart Vouchers Free
    Teen Patti Refer & Earn Offer:  Hey Guys! Today I make an article about Teen Patti Referral ...
  • Hands-on with the home windows 10 Creators update for the Xbox One: Beam recreation streaming arrives
    The Windows 10 Creators Update is here, now—yes,  now —but not (officially) on the PC. The ...
  • Taotronics TT-BH22 Headphones Review
    We make it a addiction to now not look up pricing of a product sooner than reviewing and if ...
  • Pentagon strongly condemns North Korea missile test
    The Pentagon on Monday strongly condemned North Korea’s latest missile test, adding that the ...
  • Bank wallets growing faster than e-wallets
    In the  bank  versus  e-wallets  sweepstakes,  lenders  have now gained lost ground. As of ...
  • Reliance Jio to offer sharp tariff discounts for customers signing up by March-end
    Reliance Industries' Jio unit will charge a tariff for its services from April, but will offer ...

Random Posts

  • Get more out of Android Nougat with these tips and tricks
    Get more out of Android Nougat with these tips and tricks
    12.02.2017 - 0 Comments
    Finally, Google has released Android 7.0 Nougat. If you have a Nexus phone, you probably already…
  • Here is  best Sony Xperia Z5 Compact deals
    Here is best Sony Xperia Z5 Compact deals
    03.03.2017 - 0 Comments
    Best Sony Xperia Z5 Compact deals The Sony Xperia Z5 Compact could well be the most…
  • 'Narendra Modi' app confirms 'Made-in-India' iPhone
    'Narendra Modi' app confirms 'Made-in-India' iPhone
    12.02.2017 - 0 Comments
    After the mutual agreement between the top officials of government and Apple, the Cupertino-based…
  • Hackers threaten to wipe tens of millions of Apple devices, call for ransom
    Hackers threaten to wipe tens of millions of Apple devices, call for ransom
    24.03.2017 - 0 Comments
    A group of hackers is threatening to wipe data from millions of Apple devices in two weeks if the company…
  • CAT S60 review: Rugged however not for each person
    CAT S60 review: Rugged however not for each person
    25.04.2017 - 0 Comments
    CAT or Caterpillar is a well known name. But it is well known for making engines and…

Labels

Android Apk Files Android Apps Android Games Apps Apk Files Apps Hack Tricks Entertainment Free Internet Freecharge Gadgets Games Apk Files How To's Laptops Guide Mobiles Reviews Technology Viral's android zone free recharge

Entertainment

Tricks

Popular Posts

  • Teen Patti Offer 2018: Refer and Earn Flipkart Vouchers Free
    Teen Patti Offer 2018: Refer and Earn Flipkart Vouchers Free
    Teen Patti Refer & ...
  • Hands-on with the home windows 10 Creators update for the Xbox One: Beam recreation streaming arrives
    The Windows ...
  • Meet Bat Bot, the new flying batlike drone
    Holy drone ...
  • Lenovo Yoga Book launched in India at Rs 49,990: First Impressions
    Lenovo  has ...
  • Donald Trump presidency gets social with detailed posts, photos
    US President ...
  • Jio effect: Telcos may have to cut data rates 2017
    India's big  ...
  • Grow Hair Faster: How to Make Hair Grow Faster Naturally
    Every woman wants ...

Random Posts

  • Infinix Zero 5 review
    Infinix Zero 5 review
    22.01.2018 - 0 Comments
    In the last 12 months or so, the battle for the smartphones has shifted from the Rs 10,000-12,000 category…
  • How to use Cortana on Android: Get the most out of Microsoft's voice assistant on your Android phone
    How to use Cortana on Android: Get the most out of Microsoft's voice assistant on your Android phone
    11.02.2017 - 0 Comments
    Microsoft has made its Cortana voice assistant available on Android phones in the UK. It arrives at a time…
  • Daiwa launches 40-inch FHD ‘Smart TV’ in India at Rs 22,990
    Daiwa launches 40-inch FHD ‘Smart TV’ in India at Rs 22,990
    04.02.2017 - 0 Comments
    Daiwa, a homegrown TV manufacturer, has launched its latest FHD 40-inch Smart TV in India. The Smart TV is…
  • Freedom251 Smartphone Booking For Rs 251 (Book Now)
    Freedom251 Smartphone Booking For Rs 251 (Book Now)
    19.02.2016 - 0 Comments
    Freedom251 is the Indian smartphone brand at highly affordable prices. We are an amazing team of smartphone…
  • Moto G5 Plus review
    Moto G5 Plus review
    28.03.2017 - 0 Comments
    VERDICT Refreshed from top to bottom, the Moto G5 Plus has redefined itself and it didn't even have…

Most Popular

  • Teen Patti Offer 2018: Refer and Earn Flipkart Vouchers Free
    Teen Patti Offer 2018: Refer and Earn Flipkart Vouchers Free
    Teen Patti Refer & ...
  • SAMSUNG GALAXY J7 (2016) REVIEWS
    SAMSUNG GALAXY J7 (2016) REVIEWS
    SAMSUNG GALAXY J ...
  • Top 5 Best SmartPhones under 7000 Rs (March 2017)
    Looking for the ...
  • Apple, IBM, Cisco are huge because of Indians, do not deny them H-1B visa: RBI Governor Urjit Patel
    ...
  • SAMSUNG GALAXY J7 (2016) Specifications
    SAMSUNG GALAXY J ...
  • BlackBerry Teases Marshmallow Beta Testing for Priv by Next Week
    Blackberry ...
  • LG Q6 Review
    LG Q6 Review
    2017 is ...

Contact Form

Name

Email *

Message *

Offers Zone

Created By Android Century Distributed by Android Century
  • Home
  • About us
  • Contact us
  • Privacy policy
  • Terms of use
  • Advertise here
Subscribe Via Email Subscribe To Android Century By Email And Get Free Updates. ;-)


Your email address is safe with us!