NET-RPC client-side stack should sanitize pickled data

Bug #671926 reported by Eduard Carreras i Nadal
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Odoo GTK Client (MOVED TO GITHUB)
Fix Released
Critical
OpenERP sa GTK client R&D
5.0
Confirmed
Critical
Stephane Wirtel (OpenERP)
Odoo Web Client
Won't Fix
Critical
OpenERP R&D Web Team
5.0
Won't Fix
Critical
Stephane Wirtel (OpenERP)

Bug Description

It's possible to execute arbritrary code on client using net-rpc (pickle protocol) see http://nadiana.com/python-pickle-insecure

If you use the client to connect to some demo server and this demo server is malicious, it can send malicious code which is executed in client side.

I attach a exploit server who sends code to execute to client. Run a ls -l and redirect the output to proof_of_exploit.txt file.

This bug was fixed in the server, but not in the client.
Affects versions 4.2, 5.X and 6.X

Related branches

Revision history for this message
Eduard Carreras i Nadal (ecarreras) wrote :
Revision history for this message
Eduard Carreras i Nadal (ecarreras) wrote :

I'll open this bug to the community because one month without response and I think this is a critical issue.

visibility: private → public
Revision history for this message
Stephane Wirtel (OpenERP) (stephane-openerp) wrote :

Here is a patch to apply:

Changed in openobject-client:
importance: Undecided → Critical
status: New → Confirmed
assignee: nobody → Stephane Wirtel (OpenERP) (stephane-openerp)
milestone: none → 6.0-rc2
Revision history for this message
Olivier Dony (Odoo) (odo-openerp) wrote :

Web clients needs the same patch

tags: added: maintenance
Changed in openobject-client-web:
assignee: nobody → Stephane Wirtel (OpenERP) (stephane-openerp)
importance: Undecided → Critical
milestone: none → 6.0-rc2
status: New → Confirmed
Revision history for this message
Olivier Dony (Odoo) (odo-openerp) wrote :

Hello Eduard,

Indeed, the current GTK and Web clients are vulnerable to this type of specially crafted NET-RPC payload. Fortunately this is mitigated by the fact that modified server/addons are required to be able to exploit this, so users are safe as long as they connect to trusted servers, which is usually the case in business contexts or for SaaS contexts (unless a man-in-the-middle attack is involved as well)

Users should also always keep in mind that NET-RPC itself is not a secure protocol, and should be used only in local networks if security is a concern.

The fix suggested by Stephane can be applied on Web/GTK clients of all versions, for users who want to apply it on their client directly

Thanks a lot for reporting!

Revision history for this message
Stephane Wirtel (OpenERP) (stephane-openerp) wrote :

Try this one, previous was wrong ! sorry, to many things to do in same time.

Revision history for this message
Eduard Carreras i Nadal (ecarreras) wrote :

Not sure but, with find_global = None maybe the exceptions won't be raised, I better write a check function like in tryton[1] or nadina's blog[2]

[1] http://hg.tryton.org/tryton/file/6bd9a2618cf4/tryton/pysocket.py
[2] http://nadiana.com/python-pickle-insecure#How_to_Make_Unpickling_Safer

Revision history for this message
Stephane Wirtel (OpenERP) (stephane-openerp) wrote :

Will check and provide a patch

Stéphane

summary: - Remote code execution
+ Malicious servers could trigger code execution on clients using NET-RPC
summary: - Malicious servers could trigger code execution on clients using NET-RPC
+ NET-RPC client-side stack should sanitize pickled data
Changed in openobject-client-web:
assignee: Stephane Wirtel (OpenERP) (stephane-openerp) → OpenERP SA's Web Client R&D (openerp-dev-web)
milestone: 6.0-rc2 → 6.0.2
Changed in openobject-client:
assignee: Stephane Wirtel (OpenERP) (stephane-openerp) → OpenERP sa GTK client R&D (openerp-dev-gtk)
milestone: 6.0-rc2 → 6.0.2
Revision history for this message
Ferdinand (office-chricar) wrote :

trunk/openobject-server/bin> find . -name "*py" |xargs grep -i pickle
returns some modules where pickle is used instead of cPickle
I assume at least speed improvement could be achieved at no cost.
see performance at the end of
http://home.gna.org/oomadness/en/cerealizer/benchmark/index.html

Revision history for this message
Open Net Sàrl (openerp-open-net) wrote :

So, NET-RPC is dangerous and Secure XML-RPC doesn't work (cf. bug #673775)...
What is left ???

Revision history for this message
Olivier Dony (Odoo) (odo-openerp) wrote :

@Open Net Sàrl:
I beg to differ. If you read the description and comments carefully, you will see that:
1. NET-RPC is not a secure protocol, so it cannot be compared to secure XML-RPC at all. This vulnerability has nothing to do with the transmission of unencrypted data.
2. This NET-RPC vulnerability is not exploitable if you are connecting only to trusted servers. Presumably, production end-users are always connected to trusted production servers, so they are not exposed to this.
This perhaps explains why this bugs looks much more critical than it really is.

If you are connecting to non-trusted servers, you are probably not sending sensitive data, so you should be fine using unencrypted XML-RPC.
Now if you really want to use Secure XML-RPC and are in a Windows-only world, you might want to start by analyzing the problem in bug 673775... you might be able to help find a workaround or even a fix.

Changed in openobject-client:
status: Confirmed → In Progress
Revision history for this message
Naresh(OpenERP) (nch-openerp) wrote :

Hello,

Thanks for reporting !

It has been fixed at lp:~openerp-dev/openobject-client/trunk-bug-671926-nch and will be merged soon to the trunk client.

Thanks !

Changed in openobject-client:
status: In Progress → Fix Committed
Revision history for this message
Eduard Carreras i Nadal (ecarreras) wrote : Re: [Bug 671926] Re: NET-RPC client-side stack should sanitize pickled data

Hi,
as a security fix can be aplied to stable clients too? 5.0.X and 6.X

Thanks

--
Eduard Carreras i Nadal

On 04/07/2011, at 7:46, "Naresh\(OpenERP\)" <email address hidden> wrote:

> Hello,
>
> Thanks for reporting !
>
> It has been fixed at lp:~openerp-dev/openobject-client/trunk-
> bug-671926-nch and will be merged soon to the trunk client.
>
>
> Thanks !
>
> ** Changed in: openobject-client
> Status: In Progress => Fix Committed
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/671926
>
> Title:
> NET-RPC client-side stack should sanitize pickled data
>
> Status in OpenERP GTK Client:
> Fix Committed
> Status in OpenERP GTK Client 5.0 series:
> Confirmed
> Status in OpenERP Web Client:
> Confirmed
> Status in OpenERP Web Client 5.0 series:
> Confirmed
>
> Bug description:
> It's possible to execute arbritrary code on client using net-rpc
> (pickle protocol) see http://nadiana.com/python-pickle-insecure
>
> If you use the client to connect to some demo server and this demo
> server is malicious, it can send malicious code which is executed in
> client side.
>
> I attach a exploit server who sends code to execute to client. Run a
> ls -l and redirect the output to proof_of_exploit.txt file.
>
> This bug was fixed in the server, but not in the client.
> Affects versions 4.2, 5.X and 6.X
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openobject-client/+bug/671926/+subscriptions

Revision history for this message
Olivier Dony (Odoo) (odo-openerp) wrote :

Eduard, you're right, this will be backported to 5.0 and 6.0 series once the fix is validated and merged in trunk.

Revision history for this message
Naresh(OpenERP) (nch-openerp) wrote :

Hello,

Thanks for reporting !

The fix has been merged in Trunk client @ 1923 <email address hidden>

Thanks,

Changed in openobject-client:
status: Fix Committed → Fix Released
Changed in openobject-client-web:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Bug attachments