c2c-oerpscenario team mailing list archive

Thread
Date

[Bug 671926] Re: Remote code execution

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: "Olivier Dony \(OpenERP\)" <671926@xxxxxxxxxxxxxxxxxx>
Date: Thu, 09 Dec 2010 12:06:32 -0000
Reply-to: Bug 671926 <671926@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Web clients needs the same patch

** Also affects: openobject-client/5.0
   Importance: Undecided
       Status: New

** Changed in: openobject-client/5.0
   Importance: Undecided => Critical

** Changed in: openobject-client/5.0
       Status: New => Confirmed

** Changed in: openobject-client/5.0
    Milestone: None => 5.0.16

** Tags added: maintenance

** Also affects: openobject-client-web
   Importance: Undecided
       Status: New

** Changed in: openobject-client-web
   Importance: Undecided => Critical

** Changed in: openobject-client-web
       Status: New => Confirmed

** Changed in: openobject-client-web
    Milestone: None => 6.0-rc2

** Changed in: openobject-client-web
     Assignee: (unassigned) => Stephane Wirtel (OpenERP) (stephane-openerp)

** Also affects: openobject-client-web/5.0
   Importance: Undecided
       Status: New

** Changed in: openobject-client-web/5.0
   Importance: Undecided => Critical

** Changed in: openobject-client-web/5.0
       Status: New => Confirmed

** Changed in: openobject-client-web/5.0
    Milestone: None => 5.0.16

** Changed in: openobject-client-web/5.0
     Assignee: (unassigned) => Stephane Wirtel (OpenERP) (stephane-openerp)

** Changed in: openobject-client/5.0
     Assignee: (unassigned) => Stephane Wirtel (OpenERP) (stephane-openerp)

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/671926

Title:
  Remote code execution

Status in OpenObject GTK Client:
  Confirmed
Status in OpenObject GTK Client 5.0 series:
  Confirmed
Status in OpenObject Web Client:
  Confirmed
Status in OpenObject Web Client 5.0 series:
  Confirmed

Bug description:
  It's possible to execute arbritrary code on client using net-rpc (pickle protocol) see http://nadiana.com/python-pickle-insecure

If you use the client to connect to some demo server and this demo server is malicious, it can send malicious code which is executed in client side.

I attach a exploit server who sends code to execute to client. Run a ls -l and redirect the output to proof_of_exploit.txt file.

This bug was fixed in the server, but not in the client.
Affects versions 4.2, 5.X and 6.X