openerp-india team mailing list archive

["Christophe Simonis \(OpenERP\)" <1116226@xxxxxxxxxxxxxxxxxx>]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/1116226

Title:
  [7.0] Remote File/URL Access via "LinkedIn Integration" module +
  privilege escalation

Status in OpenERP Addons (modules):
  Fix Released

Bug description:
  == SECURITY ADVISORY ==

  Title:      Remote File/URL Access via "LinkedIn Integration" module

  Affects:    OpenERP 7.0 only
  Component:  OpenERP Addons
  Module:     web_linkedin
  Credit:     Bastian Ike
  CVE ID:     2013-1657 (to be published)

  I. Confidentiality

  The content of this security advisory was released early on 2013-02-11 to
  subscribers of an OpenERP Enterprise contract (OE). In the mean time, this
  issue was not disclosed or discussed on public channels.

  II.   Background

  OpenERP is remotely accessible using remote procedure call (RPC) protocols, in
  order to communicate with the OpenERP user interface or with external systems.
  These RPC interfaces grant access to the business logic provided by OpenERP
  modules (also known as Apps or addons). This allows calling the business logic
  of OpenERP using external programs, including with other parameters than those
  typically used by the OpenERP user interface.

  OpenERP 7.0 comes with a new "LinkedIn Integration" module (web_linkedin) that
  can automatically fill in new Contact details based on the information
  published on LinkedIn.

  III.  Problem Description

  The web_linkedin module did not properly verify the parameters passed to one
  of its RPC methods, allowing an attacker to remotely access local files on the
  server on which OpenERP is running, or to relay HTTP requests to arbitrary URLs.
  OpenERP 7.0 systems where the web_linkedin module is present but not installed
  may also be vulnerable.

  IV. Impact

  Access Vector: Network exploitable
  Access Complexity: Low
  Authentication: Not required to exploit

  An attacker could pass a specially-crafted JSON-RPC request to the vulnerable
  method and ask for the contents of any local file or remote URL, with or
  without being authenticated.
  Local files requested through this vulnerability may contain sensitive
  information such as passwords that could allow the user to gain elevated
  privileges on OpenERP or on the server machine itself.
  The attacker could also use the OpenERP system as an "open web proxy",
  effectively avoiding network traceability when accessing or abusing other websites.

  Exploiting this vulnerability only requires remote network access to the
  vulnerable OpenERP system.

  OpenERP S.A. is not aware of any malicious use of this vulnerability
  yet.

  V.  Workaround

  Deleting the web_linkedin directory in the local modules repository then
  restarting the OpenERP server will prevent exploiting this vulnerability, but
  may damage your installation. This option should only be used if applying the
  patch or updating the installation is truly impossible, and must be performed
  by personnel experienced with OpenERP administration.

  Please also note that:
  - 7.0 systems where the web_linkedin module is not installed may also be
  vulnerable as long as the web_linkedin module is present in the local modules
  (i.e. in one of the `addons_path` entries).
  - Systems based on the OpenERP 7.0 Windows All-In-One installer are not
  vulnerable unless the web_linkedin module was installed on at least one
  database. On such installations modules are only downloaded when they are
  installed.
  - All OpenERP Online servers have been patched as soon as the correction was
  available.

  VI.   Solution

  Apply the attached patch, or upgrade to an OpenERP 7.0 version after the
  correction date, either via Bazaar or by downloading the latest version from
  https://www.openerp.com or http://nightly.openerp.com/7.0/nightly

  To apply the patch, change into the root directory of your addons installation,
  then execute the patch command, such as:
      patch -p0 -f < /path/to/the_patch_file.patch

  VII.  Correction details

  The following list contains the revision number of 7.0 series of
  `openobject-addons' after which the vulnerability is corrected.

  -------------------------------------------------------------------------
  - 7.0 series revno: 8669 revision-id: odo@xxxxxxxxxxx-20130206164423-qtm04krfdg7rp2y8

  == ORIGINAL DESCRIPTION FROM REPORTER ==

  The web_linkedin addon in OpenERP 7 contains a critical security
  issue.

  class Binary(openerp.addons.web.http.Controller):
      _cp_path = "/web_linkedin/binary"

      @openerp.addons.web.http.jsonrequest
      def url2binary(self, req,url):
          bfile = urllib2.urlopen(url)
          return base64.b64encode(bfile.read())

  Anyone can just open /web_linkedin/binary/url2binary and pass any URL
  which will be loaded from the server and the result is send to the
  user.

  This let's an attacker abuse the OpenERP Server to hide his IP from
  attacks (like DDOS) to other servers or let him access internal
  resources inside the companys network.

  PoC:
  In [1]: import jsonrpclib

  In [2]: import base64

  In [3]: base64.b64decode(jsonrpclib.Server('http://SERVER:PORT/web_linkedin/binary/url2binary').call(url="http://checkip.dyndns.com:8245/";))
  Out[3]: '<html><head><title>Current IP Check</title></head><body>Current IP Address: 11.22.33.44</body></html>\r\n'

  I'm not sure if openerp-web is the right project, if not, please move it.
  If you need further information please let me know (here or via skype: bastian.ike).

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/1116226/+subscriptions