Alexey Tyurin - HR Hacking — bugs in PeopleSoft
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,635
On Slideshare
1,635
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
14
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Invest in security to secure investments HR Hacking – bugs in PeopleSoft Alexey Tyurin Director of consulting department in ERPScan
  • 2. Alexey Tyurin • Director of consulting in ERPScan • XML/WEB/Win/Network security fun • Hacked a lot of online banking systems • Co-Organizer of Defcon Russia Group • Editor of “EasyHack” column for the “Xakep” magazine @antyurin erpscan.com ERPScan — invest in security to secure investments 2
  • 3. What is it? • • • Oracle PeopleSoft Apps: HRMS, FMS, SCM, CRM, EPM Can work as one big portal or separately Many implementations erpscan.com ERPScan — invest in security to secure investments 3
  • 4. PeopleSoft Internet Architecture • • Many applications, but they have one architecture PeopleSoft Internet Architecture – • Internet oriented since version 8 Based on several special core technologies erpscan.com ERPScan — invest in security to secure investments 4
  • 5. PeopleSoft Internet Architecture PeopleTools: • Technology • Developer tools • Framework • PeopleCode All of the applications are created using PeopleTools. erpscan.com ERPScan — invest in security to secure investments 5
  • 6. PeopleSoft Internet Architecture erpscan.com ERPScan — invest in security to secure investments 6
  • 7. PeopleSoft Internet Architecture • Web server WebLogic /WebSphere PS Servlets Forwards request from a browser to an App Server • Application server – PS Services + Tuxedo + Jolt – Business logic, SQL transaction management, Transport • Database server – System Tables, PeopleTools metadata , PeopleSoft application data erpscan.com ERPScan — invest in security to secure investments 7
  • 8. PeopleSoft Internet Architecture Another view: erpscan.com ERPScan — invest in security to secure investments 8
  • 9. PeopleSoft Internet Architecture • Users (web browser) – All common web technologies – A single escalation point for common and administrative goals • Developers (PeopleTools) – 2-Tier – direct connection to DBMS – 3-Tier – connection through Application Server. Special ports WSH, WSL. Essentially, basic SQL requests which are forwarded to DBMS by Application Server • External systems – Different web services (SOAP, XML) for a cross-system integration erpscan.com ERPScan — invest in security to secure investments 9
  • 10. PeopleSoft Internet Architecture erpscan.com ERPScan — invest in security to secure investments 10
  • 11. PeopleSoft Internet Architecture Authentication process and terms: • User logs in with their User ID and password. • Application Server uses Connect ID to connect to DBMS. – • • • * This account has limited rights in DBMS. It is used to retrieve the u=User ID and password, which are then compared to the user’s input If successful, the system takes Symbolic ID (associated with) User ID. The system uses Symbolic ID to find in PSACCESSPRFL the necessary Access ID and the password. This account is privileged. The system reconnects to DBMS using Access ID. Passwords are encrypted. erpscan.com ERPScan — invest in security to secure investments 11
  • 12. PeopleSoft Vulns Some vulns every year, some talks about, but no info for pentesting… erpscan.com ERPScan — invest in security to secure investments 12
  • 13. Google Dorks • filetype:GBL peoplesoft • peoplesoft inurl:cmd=login • intitle:"PeopleSoft Enterprise Sign-in" • intitle:"WebLogic Server" intitle:"Console Login" inurl:console • "Welcome to Weblogic Application Server" PeopleSoft erpscan.com ERPScan — invest in security to secure investments 13
  • 14. Google Dorks erpscan.com ERPScan — invest in security to secure investments 14
  • 15. Detect • PS can be “hidden” very well and look totally unlike itself – Filetype: GBL – A lot of JavaScripts with version information – Cookie with PORTAL-PSJSESSIONID – Cookie PSTOKEN – Cookie PSLOGINLIST erpscan.com ERPScan — invest in security to secure investments 15
  • 16. Ports erpscan.com ERPScan — invest in security to secure investments 16
  • 17. Default ports • • • • • • • • • 80, 443 – both ports – WebLogic / PeopleSoft 3050 – Tuxedo (not used in PS) 7000 – WSL – distributes connections on WSH 7001-7005 – WSH – a port on the application server for developers (3-tier) 7180, 7143 – PS REN server (Real-time EventNotification) 9000 – JSL – distributes connections on JSH (jolt) 9001-9005 – a port on the application server for Jolt connections from the web server 9500 – PS Debugging port – a port on the application server (non default) 9100 – Jolt relay (non default) erpscan.com ERPScan — invest in security to secure investments 17
  • 18. Default inputs • A lot of input spots. Scan them! erpscan.com ERPScan — invest in security to secure investments 18
  • 19. Default accounts Some of them: • people:peop1e – DB • PS:PS – super PS user (also VP1:VP1) • “password” for many web services • “dayoff” for a Portal servlet Ex: psp/[site]/?cmd=viewconfig&pwd=dayoff – to see configs Different way: non-standard Weblogic accounts: • system: Passw0rd (password) – main administrator • operator: password – operator role • monitor: password – monitor role * The password of “system” is often changed to that of “PS” erpscan.com ERPScan — invest in security to secure investments 19
  • 20. WebLogic • • • WebLogic admin “/console” On the same port with PeopleSoft application by default Anyone can try to access the inside with default accounts erpscan.com ERPScan — invest in security to secure investments 20
  • 21. Default inf disclosure • Some of them: erpscan.com ERPScan — invest in security to secure investments 21
  • 22. Another classic attack • Most administrative tasks are fulfilled by administrators through the portal. XSS is a beautiful attack! • Ex. 1 (until PT 8.51). PSOL Full Text Search: XSS in every entry field erpscan.com ERPScan — invest in security to secure investments 22
  • 23. Another classic attack • Ex. 2 (PT 8.53): CVE-2013-3818 Patched in CPU 16 July 2013 (cpujul2013) http://172.16.0.79/CfgOCIReturn.html?&debug=true&domain=aaa %27%3Cimg%20src%3D%22zz%22%20onerror%3Dalert%28%22XS S%22%29%3E erpscan.com ERPScan — invest in security to secure investments 23
  • 24. Strange UDDI explorer One of input spots: • We can scan internal network via SSRF (time-based) • We can steal the password of administrator * But who uses this strange thing? erpscan.com ERPScan — invest in security to secure investments 24
  • 25. DEMO erpscan.com ERPScan — invest in security to secure investments 25
  • 26. PeopleSoft DoS • • • • old research buffer overflow in login process!!! we can control the return address but stack cookie… so only DoS * Do you think it is secure Java? No, there are too many crashes  erpscan.com ERPScan — invest in security to secure investments 26
  • 27. True DoS • One of input points is Business Interlink • No authentication • Simple request • PeopleSoft сrashes (Java, to be precise ;)) erpscan.com ERPScan — invest in security to secure investments 27
  • 28. DEMO erpscan.com ERPScan — invest in security to secure investments 28
  • 29. XXEs • Some of input points: PSIGW/*, Business Interlink, SyncServ • !!!No authentication !!! • Common XXE injection impact: – We can read plain text files (not all) – SSRF – SSRF+gopher (if JDK <= 1.6) – SSRF+grab NTLM hashes/SMBRelay (if JDK <= 1.6 and OS = Windows) – Classic entities DoS? + we can list directories and read XML files! (no binary) CVE-2013-3800, CVE-2013-3819, CVE-2013-3821 Patched in CPU on the 16th July 2013 (cpujul2013) erpscan.com ERPScan — invest in security to secure investments 29
  • 30. Encryption Encryption of password in config files: • Some passwords of PeopleSoft are stored in plaintext • Some – DES • Some – 3DES • Some – AES (Weblogic) DES • The key for DES is hardcoded • Was used for encryption in the older systems • Has no ID at the beginning (such as “{V1.1}”) erpscan.com ERPScan — invest in security to secure investments 30
  • 31. Encryption 3DES • The key for 3DES is standard by default. • You can check it. The string “{V1.1}” before an encrypted password shows the key is default. • After each key regeneration, the number is changed (1.2, 1.3…). • Do you regenerate it? AES • If you want to decrypt with AES, you need SerializedSystemIni.dat. • You can understand that it is AES by the “{AES}” string in the beginning of an encrypted password. erpscan.com ERPScan — invest in security to secure investments 31
  • 32. Whatever do we read? • Configuration files that can store plaintext passwords: hcmss.dms, create_accessid.sql , connect_2005.sql, psprcs.cfg, hcengl.log, dbsetup.xm l, psappsrv.cfg, resetpswd.dms, hcora.dms, connect.sql , pswinclt.cfg * They mostly belong to Connection ID. But there are some PS too. • Configuration files that can store encrypted passwords (DES, 3DES, AES): configuration.properties, gatewayUserProfile.xml, inte grationGateway.properties, config.xml, security.xml, D efaultAuthenticatorInit.ldif, boot.properties, nm_pass word.properties * They mostly belong to web service. But they can fit forPS too. erpscan.com ERPScan — invest in security to secure investments 32
  • 33. Whatever do we read? Issues • Not all of the listed files can be read by reading data from the web server • Passwords from WebLogic accounts are AES-encrypted, the key is in the binary file • If the administrator re-generated keys to 3DES ({V1.2},{V1.3 …), the key is also in a binary file which cannot be read through XXE • Theoretically, the private SSL key can be read and used for MitM attacks, but it has to be stored in plain-text. By default, it is stored in Java storage (binary) erpscan.com ERPScan — invest in security to secure investments 33
  • 34. Attack! 1) Read Connection ID and attack through the database. It is possible to download user hashes and bruteforce them, for example. 2) From the multitude of configuration files, we can retrieve various accounts (in the case of v. 1.1 or an old PT version with DES) and use it to find the password for the PS acount in Portal. 3) We can read the file nm_password.properties of WebLogic, which stores the hash of the node manager password (similar to the password of the user “system” in WebLogic by default). erpscan.com ERPScan — invest in security to secure investments 34
  • 35. DEMO erpscan.com ERPScan — invest in security to secure investments 35
  • 36. Greetz to our crew who helped