c2c-oerpscenario team mailing list archive

Thread
Date

[Bug 671926] Re: Remote code execution

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: "Olivier Dony \(OpenERP\)" <671926@xxxxxxxxxxxxxxxxxx>
Date: Thu, 09 Dec 2010 12:13:00 -0000
Reply-to: Bug 671926 <671926@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hello Eduard,

Indeed, the current GTK and Web clients are vulnerable to this type of
specially crafted NET-RPC payload. Fortunately this is mitigated by the
fact that modified server/addons are required to be able to exploit
this, so users are safe as long as they connect to trusted servers,
which is usually the case in business contexts or for SaaS contexts
(unless a man-in-the-middle attack is involved as well)

Users should also always keep in mind that NET-RPC itself is not a
secure protocol, and should be used only in local networks if security
is a concern.

The fix suggested by Stephane can be applied on Web/GTK clients of all
versions, for users who want to apply it on their client directly

Thanks a lot for reporting!

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/671926

Title:
  Remote code execution

Status in OpenObject GTK Client:
  Confirmed
Status in OpenObject GTK Client 5.0 series:
  Confirmed
Status in OpenObject Web Client:
  Confirmed
Status in OpenObject Web Client 5.0 series:
  Confirmed

Bug description:
  It's possible to execute arbritrary code on client using net-rpc (pickle protocol) see http://nadiana.com/python-pickle-insecure

If you use the client to connect to some demo server and this demo server is malicious, it can send malicious code which is executed in client side.

I attach a exploit server who sends code to execute to client. Run a ls -l and redirect the output to proof_of_exploit.txt file.

This bug was fixed in the server, but not in the client.
Affects versions 4.2, 5.X and 6.X