A user can read the content of files on the machine running trytond by exploiting XEE vulnerability in camt54 parsing
How to reproduce the exploit:
On a trytond 6.2 server, ( with lmxl==4.7.1 ) Create an incoming sepa message, fill the message field with the attached "bad_camt.xml" file ( a file which contains an External entities with references to the server local file "/etc/group" ), and then "do" the message.
Result: The tryton client displays an error message containing the content of the /etc/group file
The trace of the error in the server logs is:
[...]
File "/home/jeremy.mousset/.pyenv/versions/vanilla/lib/python3.8/site-packages/trytond/modules/account_payment_sepa/sepa_handler.py", line 38, in handle_entry
payments = self.get_payments(element)
File "/home/jeremy.mousset/.pyenv/versions/vanilla/lib/python3.8/site-packages/trytond/modules/account_payment_sepa/sepa_handler.py", line 77, in get_payments
('kind', '=', self.get_payment_kind(element)),
File "/home/jeremy.mousset/.pyenv/versions/vanilla/lib/python3.8/site-packages/trytond/modules/account_payment_sepa/sepa_handler.py", line 51, in get_payment_kind
return self._kinds[
KeyError: 'root:x:
[etc etc]
Of course the /etc/group file is only an example.
This issue belongs to the family of issues described here : https://cwe.mitre.org/data/definitions/611.html
How I found out: we ran smegrep ( https://semgrep.dev/ ) on our code base who reported the following:
"Found use of the native Python XML libraries, which is vulnerable to XML external entity (XXE) attacks. The Python documentation recommends the 'defusedxml' library instead. Use 'defusedxml'. See https://github.com/tiran/defusedxml for more information.
I then looked for a possibility of exploitation where etree.fromstring is used in the code.
I suppose there might be other ways to exploit xml parsing in trytond and its modules.
I don't know if the indication from the semgrep report to use https://github.com/tiran/defusedxml instead of the lxml library is the right one. It could be.
[ I'm not sure if "critical" is the right priority here, but it is a serious issue in my opinion ]
Files
Download | Creator | Timestamp | Type |
---|---|---|---|
bad_camt.xml | @jeremy.mousset | 2022-02-04 15:31:30.374000 UTC | text/xml |
screenshot_XEE.png | @jeremy.mousset | 2022-02-04 15:32:24.220000 UTC | image/png |