[7.0] Remote File/URL Access via "LinkedIn Integration" module + privilege escalation

== SECURITY ADVISORY ==

Title: Remote File/URL Access via "LinkedIn Integration" module

Affects: OpenERP 7.0 only
Component: OpenERP Addons
Module: web_linkedin
Credit: Bastian Ike
CVE ID: 2013-1657 (to be published)

I. Confidentiality

The content of this security advisory was released early on 2013-02-11 to
subscribers of an OpenERP Enterprise contract (OE). In the mean time, this
issue was not disclosed or discussed on public channels.

II. Background

OpenERP is remotely accessible using remote procedure call (RPC) protocols, in
order to communicate with the OpenERP user interface or with external systems.
These RPC interfaces grant access to the business logic provided by OpenERP
modules (also known as Apps or addons). This allows calling the business logic
of OpenERP using external programs, including with other parameters than those
typically used by the OpenERP user interface.

OpenERP 7.0 comes with a new "LinkedIn Integration" module (web_linkedin) that
can automatically fill in new Contact details based on the information
published on LinkedIn.

III. Problem Description

The web_linkedin module did not properly verify the parameters passed to one
of its RPC methods, allowing an attacker to remotely access local files on the
server on which OpenERP is running, or to relay HTTP requests to arbitrary URLs.
OpenERP 7.0 systems where the web_linkedin module is present but not installed
may also be vulnerable.

IV. Impact

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit

An attacker could pass a specially-crafted JSON-RPC request to the vulnerable
method and ask for the contents of any local file or remote URL, with or
without being authenticated.
Local files requested through this vulnerability may contain sensitive
information such as passwords that could allow the user to gain elevated
privileges on OpenERP or on the server machine itself.
The attacker could also use the OpenERP system as an "open web proxy",
effectively avoiding network traceability when accessing or abusing other websites.

Exploiting this vulnerability only requires remote network access to the
vulnerable OpenERP system.

OpenERP S.A. is not aware of any malicious use of this vulnerability yet.

V. Workaround

Deleting the web_linkedin directory in the local modules repository then
restarting the OpenERP server will prevent exploiting this vulnerability, but
may damage your installation. This option should only be used if applying the
patch or updating the installation is truly impossible, and must be performed
by personnel experienced with OpenERP administration.

Please also note that:
- 7.0 systems where the web_linkedin module is not installed may also be
vulnerable as long as the web_linkedin module is present in the local modules
(i.e. in one of the `addons_path` entries).
- Systems based on the OpenERP 7.0 Windows All-In-One installer are not
vulnerable unless the web_linkedin module was installed on at least one
database. On such installations modules are only downloaded when they are
installed.
- All OpenERP Online servers have been patched as soon as the correction was
available.

VI. Solution

Apply the attached patch, or upgrade to an OpenERP 7.0 version after the
correction date, either via Bazaar or by downloading the latest version from
https://www.openerp.com or http://nightly.openerp.com/7.0/nightly

To apply the patch, change into the root directory of your addons installation,
then execute the patch command, such as:
    patch -p0 -f < /path/to/the_patch_file.patch

VII. Correction details

The following list contains the revision number of 7.0 series of
`openobject-addons' after which the vulnerability is corrected.

-------------------------------------------------------------------------
- 7.0 series revno: 8669 revision-id: <email address hidden>

== ORIGINAL DESCRIPTION FROM REPORTER ==

The web_linkedin addon in OpenERP 7 contains a critical security issue.

class Binary(openerp.addons.web.http.Controller):
    _cp_path = "/web_linkedin/binary"

    @openerp.addons.web.http.jsonrequest
    def url2binary(self, req,url):
        bfile = urllib2.urlopen(url)
        return base64.b64encode(bfile.read())

Anyone can just open /web_linkedin/binary/url2binary and pass any URL which will be loaded from the server and the result is send to the user.

This let's an attacker abuse the OpenERP Server to hide his IP from attacks (like DDOS) to other servers or let him access internal resources inside the companys network.

PoC:
In [1]: import jsonrpclib

In [2]: import base64

In [3]: base64.b64decode(jsonrpclib.Server('http://SERVER:PORT/web_linkedin/binary/url2binary').call(url="http://checkip.dyndns.com:8245/"))
Out[3]: '<html><head><title>Current IP Check</title></head><body>Current IP Address: 11.22.33.44</body></html>\r\n'

I'm not sure if openerp-web is the right project, if not, please move it.
If you need further information please let me know (here or via skype: bastian.ike).