Joxean Koret - Hackproofing Oracle Financials 11i & R12 [RootedCON 2010]

  • 5,801 views
Uploaded on

Tras una introducción sobre el producto Oracle Financials, explicación de su arquitectura y componentes de las versiones 11i y R12, se mostrarán fallas en el diseño y vulnerabilidades ya solucionadas …

Tras una introducción sobre el producto Oracle Financials, explicación de su arquitectura y componentes de las versiones 11i y R12, se mostrarán fallas en el diseño y vulnerabilidades ya solucionadas en 11i, así como vulnerabilidades 0day para su versión R12.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
5,801
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
293
Comments
0
Likes
4

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Hackproofing Oracle Financials Vulnerabilities in Oracle E-Business Suite R12 Vulnerabilities in Oracle Financials - Joxean Koret
  • 2. What is Oracle Financials? Is an Enterprise Resource Planing product (ERP) The names Oracle E-Business Suite, Oracle Applications, Oracle Financials, etc... does refer to the same product Vulnerabilities in Oracle Financials - Joxean Koret
  • 3. ERP Statistics As of 2005, SAP and Oracle Applications were the most deployed Vulnerabilities in Oracle Financials - Joxean Koret
  • 4. Market Share Vulnerabilities in Oracle Financials - Joxean Koret
  • 5. Market Share Vulnerabilities in Oracle Financials - Joxean Koret
  • 6. Market Share Vulnerabilities in Oracle Financials - Joxean Koret
  • 7. Market Share Vulnerabilities in Oracle Financials - Joxean Koret
  • 8. Who is using Oracle Financials? Very large list of customers http://www.oracle.com/customers/products/financials2.html In short... Militars & Governments, i.e.: North Atlantic Treaty Organization (NATO) Banks Airways & Airlines Petrochemical companies Hospitals ... Vulnerabilities in Oracle Financials - Joxean Koret
  • 9. Some well known customers Marvel, Banque de France, U.S. Airways, U.S. Navy, U.S. Army, Mitsubishi, Airtel, NH Hotels, Canon, EMC Corporation, Flemish Government, Fujitsu, Toshiba, Google Inc, Unisys, U.S. Postal Service, Toyota, General Electrics, Dubai's Government, Oracle itself, etc... Enough (and interesting) customers to care about ;) Vulnerabilities in Oracle Financials - Joxean Koret
  • 10. About the talk What are we going to covert in this talk? Architecture overview (Basic Concepts + Brief introduction) Components (11i & R12) Design flaws Vulnerabilities How to own Vulnerabilities in Oracle Financials - Joxean Koret
  • 11. Architecture Overview Vulnerabilities in Oracle Financials - Joxean Koret
  • 12. Architecture: Attacker's point of view Applications Server's components Web Server, Forms Server (& Reports Server) But Reports is not always available from internet JSP, Servlets, CGIs and ”the” PL/SQL Gateway PL/SQL Gateway removed in R12 due to many security problems Database Server's components Data PL/SQL software Vulnerabilities in Oracle Financials - Joxean Koret
  • 13. Basic Concepts Forms Server Java Applet that communicates (via HTTP in the latest versions) with the application server Used to show GUIs Reports Server The same but only for reports PL/SQL Gateway A way to execute PL/SQL code directly from a browser, like a CGI but inside the database Vulnerabilities in Oracle Financials - Joxean Koret
  • 14. Information Gathering Vulnerabilities in Oracle Financials - Joxean Koret
  • 15. Information Gathering Oracle Financials 11i http://middletier/pls/DAD/fnd_web.ping Oracle Financials R12 PL/SQL Gateway removed, URL changed to: http://middletier/OA_HTML/jsp/fnd/fndping.jsp What information we get this way? Vulnerabilities in Oracle Financials - Joxean Koret
  • 16. Information Gathered Vulnerabilities in Oracle Financials - Joxean Koret
  • 17. Information Gathering Install Path Disclosure Vulnerabilities in Oracle Financials - Joxean Koret
  • 18. Install Path Disclosure The script /OA_HTML/biserror.jsp receives a parameter called ”DBC” (DataBase Configuration) Is a file in the middle-tier with information regarding the database address, etc... It reveals the installation path when a non-existent DBC file is given to script Vulnerabilities in Oracle Financials - Joxean Koret
  • 19. Installation Path Disclosure Vulnerabilities in Oracle Financials - Joxean Koret
  • 20. Information Gathering The information retrieval (sometimes) is vital for succesful intrusions Databases's SID and schema (commonly APPS) It's also typical to host multiple Oracle Financials instances in the same machine: /d01/apps/r12 /d02/apps/r11 You must know the operating system to completely own the system Vulnerabilities in Oracle Financials - Joxean Koret
  • 21. Vulnerabilities Vulnerabilities in Oracle Financials - Joxean Koret
  • 22. Vulnerabilities by component Middle-tier Oracle Forms PL/SQL gateway (only in version 11i) JSP Database backend Oracle Database Middle-tier (again) The Printers From Hell Vulnerabilities in Oracle Financials - Joxean Koret
  • 23. Vulnerabilities: Cross Site Scripting Oracle Financials is full of XSS vulnerabilities In example, the script biserror.jsp is designed to show an error page with a custom message The message text can be HTML code By design! Vulnerabilities in Oracle Financials - Joxean Koret
  • 24. XSS in biserror.jsp Vulnerabilities in Oracle Financials - Joxean Koret
  • 25. Vulnerabilities Cross Site Scripting vulnerabilities can only be usefull (when you do not have real exploits) for: Session hijacking Phissing Manipulating admin panels Etc... However, there are many very interesting vulnerabilities in Oracle Financials so, ignore XSS ;) Vulnerabilities in Oracle Financials - Joxean Koret
  • 26. Mistakes The very first vulnerability I found in Oracle Financials 11i was only applicable to AIX (unfortunately) The SYSADMIN has the responsibility (role) SYSADMIN Looking for other users with the same responsibility... ... Vulnerabilities in Oracle Financials - Joxean Koret
  • 27. Mistakes The very first vulnerability I found in Oracle Financials 11i was only applicable to AIX (unfortunately) The SYSADMIN has the responsibility (role) SYSADMIN Looking for other users with the same responsibility... The GUEST user appears! So any GUEST user is, in fact, SYSADMIN!!! Cool! Applicable to all Oracle Apps. 11i versions for AIX Vulnerabilities in Oracle Financials - Joxean Koret
  • 28. For the developers... Vulnerabilities in Oracle Financials - Joxean Koret
  • 29. Oracle Forms One of the more interesting vulnerabilities is in the Oracle Forms Listener. Whenever a new user wants to connect to Oracle Forms via web, a Login Form is shown Is a Java Applet Vulnerabilities in Oracle Financials - Joxean Koret
  • 30. The Login Form Vulnerabilities in Oracle Financials - Joxean Koret
  • 31. Oracle Forms Listener But, how is the form loaded? What parameters are given from the browser to the server if any? Remember, it's a Java applet that communicates with the application server Vulnerabilities in Oracle Financials - Joxean Koret
  • 32. Oracle Forms Listener Answer: Vulnerabilities in Oracle Financials - Joxean Koret
  • 33. Oracle Forms Listener So, again, we have another installation path disclosure but, wait... What if you're able to upload a new form to the server, to a temporary path, in example? The form will be executed before doing logon Possible temporary paths: /incoming /tmp Vulnerabilities in Oracle Financials - Joxean Koret
  • 34. Oracle Forms Listener The source code of almost every form in Oracle Financials is available: Source code for login form is in $FND_TOP/US/FNDSCSGN.fmb Vulnerabilities in Oracle Financials - Joxean Koret
  • 35. Oracle Forms Source $ cd $FND_TOP $ pwd /u03/oracle/prodappl/fnd/11.5.0/ $ cd forms $ ls E US $ ls US/ APPTREE.fmx FNDATENT.fmx FNDCPDIA.fmx FNDCUSTM.fmx FNDFFMIS.fmx FNDFMFUN.fmx FNDPOMPV.fmx FNDSCAUS.fmx FNDSNDSQ.fmx FNDADDSQ.fmx FNDATFUN.fmx FNDCPDPD.fmx FNDFBMAS.fmx FNDFFMSA.fmx FNDLVMLU.fmx FNDPOMSV.fmx FNDSCDDG.fmx TEMPLATE.fmx (...) Vulnerabilities in Oracle Financials - Joxean Koret
  • 36. Old Vulnerabilities: PL/SQL Gateway In the prior version (Oracle Financials 11i) almost all the vulnerabilities I found were SQL Injection or ”mistakes” Thanks to the PL/SQL Gateway I'm going to tell you about various of them Sorry, no demo for this version :( Vulnerabilities in Oracle Financials - Joxean Koret
  • 37. The PL/SQL Gateway What is the PL/SQL Gateway? Is a way to directly execute PL/SQL code in the database via a browser Vulnerabilities in Oracle Financials - Joxean Koret
  • 38. The PL/SQL Gateway What is the PL/SQL Gateway? Is a way to directly execute PL/SQL code in the database via a browser ”Where you see a feature I see a flaw!” What if the PL/SQL code contains vulnerabilities? Vulnerabilities in Oracle Financials - Joxean Koret
  • 39. The PL/SQL Gateway Remember, the PL/SQL Gateway is a way to directly execute PL/SQL code in the database via a browser ”Where you see a feature I see a flaw!” What if the PL/SQL code contains vulnerabilities? You're running code directly in the database You can run any procedure granted to public A lot of them, about thousands in total Cool! Vulnerabilities in Oracle Financials - Joxean Koret
  • 40. Some reported & fixed vulnerabilities http://<target>/pls/<DAD>/ADI_display_report. DisplayFile?P_DOCID=<doc id> http://<target>/pls/<DAD>/ADI_BINARY_FILE. Show?p_DocumentId=<doc id> Download any document stored in the ERP (contracts, etc...) without being authenticated Just brute force the doc_id and that's all Vulnerabilities in Oracle Financials - Joxean Koret
  • 41. PL/SQL Gateway But, wait! I don't know the DAD? OK, simply navigate with your browser to the following location: http://<target>:<port>/pls/ You will be redirected to the URL /pls/DAD/fnd_web.ping In Oracle Apps since 11.5.10.2 you will get the message ”Unauthorized” But, well, when accessing to the URL you were redirected to... Vulnerabilities in Oracle Financials - Joxean Koret
  • 42. More vulnerabilities in Apps 11i How can I see the complete list of customers and contacts of my adversary corporation? Vulnerabilities in Oracle Financials - Joxean Koret
  • 43. More vulnerabilities in Apps 11i How can I see the complete list of customers and contacts of my adversary corporation? Easy! The following URL is your answer: /pls/<DAD>/ICXSUPWF.DISPLAYCONTACTS No check for valid session, valid privileges, etc... The complete list of customers and contacts is printed in the web page Cool++! Vulnerabilities in Oracle Financials - Joxean Koret
  • 44. SQL Injection Another vulnerable package (the name says that it's surely vulnerable) /pls/DAD/ICX_UTIL.LOVVALUES A LOV, in Oracle language, is a List Of Values Typically, an SQL query to show some data The script receives 2 cool parameters: c_where_clause & c_js_where_clause Guess what is the purpose of the parameters? Cool^2 Vulnerabilities in Oracle Financials - Joxean Koret
  • 45. Returning back to ICXSUPWF.DISPLAYCONTACTS Do you remember the package to download the complete customer's list? Well, this package also receives a seemingly equal parameter: p_where Of course, this is one SQL's where clause Vulnerabilities in Oracle Financials - Joxean Koret
  • 46. Sufficient SQL Injections OK, we have sufficient ”SQL injections?” (or design flaws?) for now but, what can I do with them? Well, some facts: You're running your SQL code as the APPS user The APPS user is the owner of the ERP's data So you're the new owner of the data :) Also, the APPS user has granted the DBA role So you're also the new DBA Vulnerabilities in Oracle Financials - Joxean Koret
  • 47. Oracle Database User APPS Running SQL code as any DBA you can do whatever you want as, in example: Create a Java procedure to execute OS commands and to connect back to you Create a PL/SQL backdoor to make ”easier?” executing new commands Execute a funny OS + RMAN command: $ rman target / rman> sql 'shutdown abort' rman> drop database including backups noprompt; And kill her wife if possible Vulnerabilities in Oracle Financials - Joxean Koret
  • 48. Oracle Financials R12 I think that I showed sufficient (old, fixed) Oracle Apps 11i vulnerabilities Now, it's time for Oracle Applications R12 Vulnerabilities in Oracle Financials - Joxean Koret
  • 49. Oracle Applications R12: Changes In this version Oracle removed the PL/SQL Gateway No fun :( But they ported almost all the packages to JSP So the unique change for us is that we don't need a DAD this time, we already know the complete URL to access every JSP http://<target>:<port>/OA_HTML/<yourjsp.jsp> Vulnerabilities in Oracle Financials - Joxean Koret
  • 50. Oracle Applications R12: Changes In this version they check in almost all JSP scripts for a valid session, except for allowed to GUEST applications However, we can still get fun ;) Vulnerabilities in Oracle Financials - Joxean Koret
  • 51. Establishing a GUEST session To establish a GUEST session you just need to navigate to any ”allowed to GUEST” jsp and, automagically, a new session will be created for you Vulnerabilities in Oracle Financials - Joxean Koret
  • 52. Guest Sessions When you want to do logon via the web page you're received with a web page similar if not equal to the following one: Vulnerabilities in Oracle Financials - Joxean Koret
  • 53. Guest Sessions When you do logon correctly you're redirected to the following web page: Vulnerabilities in Oracle Financials - Joxean Koret
  • 54. Guest Sessions If you navigate (before doing logon) directly to this web page an exception occurs but a new GUEST session gets created. Vulnerabilities in Oracle Financials - Joxean Koret
  • 55. Servlet's Source Code Vulnerabilities in Oracle Financials - Joxean Koret
  • 56. Guest Sessions With a valid GUEST session we can, now, access any JSP. But some of them will check if we have the correct privileges or simply fail because we're not SYSADMIN, etc... Anyway, our attack vector has significantly increased :) Vulnerabilities in Oracle Financials - Joxean Koret
  • 57. Oracle Financials R12 OK so... Do you remember the flaws where you can inject any where clause in Oracle Apps 11i? Well, Oracle always surprised me... Vulnerabilities in Oracle Financials - Joxean Koret
  • 58. Oracle Applications R12 In this version they added a cool script called jtfwcpnt.jsp. It is a component of the Oracle Financials CRM In Oracle words: “A Card Paint to display cards in Smart List Search” Questions to Larry Ellison, plz! The script is completely flawed. Vulnerabilities in Oracle Financials - Joxean Koret
  • 59. jtfwcpnt.jsp This cool script receives one interesting parameter: query Do I need to explain something else? Vulnerabilities in Oracle Financials - Joxean Koret
  • 60. jtfwcpnt.jsp This cool script receives one interesting parameter: query Do I need to explain something else? Let's see a very complicated exploit... Vulnerabilities in Oracle Financials - Joxean Koret
  • 61. jtfwcnpt.jsp 0days 3xpl01ts $ export TARGET=”http://<target>:<port>/OA_HTML” $ wget -O - “$TARGET/OA.jsp” "$TARGET/jtfwcpnt.jsp?query=begin%20execute%20immediate%20' grant%20dba%20to%20mom';%20end;” $ wget -O - “$TARGET/OA.jsp” "$TARGET/jtfwcpnt.jsp?query=begin%20execute%20immediate%20' delete%20from%20apps.fnd_user';%20commit;end;” Vulnerabilities in Oracle Financials - Joxean Koret
  • 62. Creating a new SYSADMIN user We're running code as the APPS user so, again, we're the new owner of the data So we can, in example, create a new SYSADMIN like user: Vulnerabilities in Oracle Financials - Joxean Koret
  • 63. Vulnerabilities in Oracle Financials - Joxean Koret
  • 64. Responsibilities Running this PL/SQL code via the jtfwcpnt.jsp script we create a new user and assign 2 responsibilities: 20420 – System Administrator (SYSADMIN) 20872 – System Administration Vulnerabilities in Oracle Financials - Joxean Koret
  • 65. Owning by tiers Abusing from this flaw we gained access to the database backend If we just want to extract some data, we're done, delete the created user and that's all However, if we want to continue owning all the rest of the tiers we need to find a way to execute code also in the middle-tier Remember, we gained access to the database and it will be in a different box :( Vulnerabilities in Oracle Financials - Joxean Koret
  • 66. Gaining Access to the Middle-tiers How can we gain access to the middle-tiers? Checked for a flawed JSP that writes something to disk, but nothing was found Checked also for Runtime.getRuntime() and so on: No luck :( Vulnerabilities in Oracle Financials - Joxean Koret
  • 67. Gaining Access to the Middle-tiers How can we gain access to the middle-tiers? Checked for a flawed JSP that writes something to disk, but nothing was found Checked also for Runtime.getRuntime() and so on: No luck :( But found a funny technique: The Printer From Hell Vulnerabilities in Oracle Financials - Joxean Koret
  • 68. The Printers From Hell Vulnerabilities in Oracle Financials - Joxean Koret
  • 69. The Printer From Hell Oracle Applications Server is a web based application It's designed to be used by big companies either connected from LAN or from Internet They designed a way to print to one system administrator specified printer from anywhere But, how are the printers configured? Administrator does this via the ERP or directly inserting into the database Vulnerabilities in Oracle Financials - Joxean Koret
  • 70. The Printer From Hell Vulnerabilities in Oracle Financials - Joxean Koret
  • 71. The Printer From Hell We have a ”printer coming from hell”, just print something using the ERP or the PL/SQL packages and you're done Vulnerabilities in Oracle Financials - Joxean Koret
  • 72. The Printer From Hell We have a ”printer coming from hell”, just print something using the ERP or the PL/SQL packages and you're done Th3 c0mpl3t3 $y$t3m w4$ 0wN3|) Vulnerabilities in Oracle Financials - Joxean Koret
  • 73. However... We're running code as the ”oracle” OS level user but I know no way to scalate to root :( Well, if the database server is not correctly patched we can always use the ”extjob” suid tool Vulnerability CVE-2008-2613 But, what if the system is a Win32 box? Don't worry! You're already running code as Local System :) Vulnerabilities in Oracle Financials - Joxean Koret
  • 74. ● Conclussions Vulnerabilities in Oracle Financials - Joxean Koret
  • 75. Oracle Financials R12 It's getting better in some aspects but there are plenty of quite stupid vulnerabilities It's OK (in my opinion) to run it in our companies as an intranet application but you should take care opening connectivity to Oracle Financials from Internet IMHO... Vulnerabilities in Oracle Financials - Joxean Koret
  • 76. Final Conclussion? Vulnerabilities in Oracle Financials - Joxean Koret
  • 77. The End ● Thanks you folks! Vulnerabilities in Oracle Financials - Joxean Koret