openerp-community team mailing list archive

Thread
Date
Odoo Security Advisory - 2014-01-safe-eval

To: OpenERP Community <openerp-community@xxxxxxxxxxxxxxxxxxx>
From: Olivier Dony <odo@xxxxxxxxxxx>
Date: Mon, 03 Nov 2014 12:52:39 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
Security Advisory                                     2014-01-safe-eval


Title: Arbitrary code execution using safe eval expressions

Affects: All Odoo (formerly OpenERP) versions
Component: Odoo Server
Credit: "duesenfranz"

GitHub: https://github.com/odoo/odoo/issues/3445


I.   Background

Odoo includes a sandbox for interpreting dynamic business logic components,
such as the definition of workflows, automated actions, or the dynamic
expressions used within report templates.
The mechanism behind this sandbox is called 'safe eval' and makes the system
much more flexible by allowing advanced customizations. Its role is to
execute user-provided Odoo business logic, while preventing any undesired
effects on the data or the hosting platform - such as could be caused
by accident or by malicious users.

In order to be allowed to customize any of these dynamic business logic
components, one must usually be an administrator of an Odoo database,
or have otherwise received elevated privileges.


II.  Problem Description

The default 'safe eval' sandbox environment was not sufficiently sanitized,
so an attacker with sufficient privileges might be able to escape the sandbox
through the use of specially crafted dynamic expressions.

Systems who host Odoo databases for untrusted users are particularly at risk,
(e.g. SaaS platforms), as they typically allow users to become administrators
of their own Odoo database. This is sufficient to exploit the vulnerability.


III. Impact

Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 6.7 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)

Malicious users with access to an administrator account on an Odoo database
might craft special code expressions specifically targeted at escaping
the sandbox protection.
This could in turn be used to execute arbitrary code as the user
running the Odoo service, granting access to local files and local services.
Files and environments accessed in this manner may contain sensitive
information such as passwords that could allow the user to gain elevated
privileges on the hosting machine itself.

Exploiting this vulnerability requires remote network access and
administrator (or privileged) account on a database hosted on a vulnerable
Odoo installation.

OpenERP S.A. is not aware of any malicious use if this vulnerability yet.


IV.  Workaround

No workaround is available, but systems that do not provide administrator
or otherwise privileged access to untrusted users are not vulnerable.

All Odoo Online servers have been patched as soon as the correction was
available.


V.   Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the latest
version from https://www.odoo.com/page/download or http://nightly.odoo.com

To apply the patch, change into the **server** directory of your Odoo/OpenERP
installation, then execute the patch command, typically:

      patch -p1 -f < /path/to/the_patch_file.patch


VI.  Correction details

The following list contains the revisions after which the vulnerability
is corrected:

- 6.0: rev. 61b07b1be79fbd5eb9c55f21a769ed37f025bf92
- 6.1: rev. e7390fc603258c37324c77b7efad741e0c3b9842
- 7.0: rev. 9b1a9c95189d41c1cd6353063a89564f5c37c96d
- 8.0: rev. 5e248f09c7d11ee130dc13aab5661618ddb5b777