SlideShare a Scribd company logo
PeopleSoft: HACK THE
Planet^W universityby Dmitry Iudin, Security Researcher at ERPScan
Security Researcher
Dmitry Yudin
@ret5et
PeopleSoft
Used by:
Universities
Government and its institutions
Large enterprises, etc.
PeopleSoft
Campus solutions
Human Capital Management
Financial Management
Supplier Relationship Management …
Attack Targets
 Personal information
 SSN
 Salary data
 Payment information
 Credit card data
 Bank account data
Bidding information
- RFP
- Prices
Attack Targets
 Espionage
 Theft of financial information
 Corporate trade secret theft
 Theft of supplier and customer lists
 Stealing HR data (employee data theft)
 Sabotage
 Denial of service
 Tampering with financial reports
Fraud
- False transactions
- Modification of master data
PeopleSoft
A Bit of Theory
PeopleSoft Pure Internet Architecture
The Web Server
Web Server
• Host PeopleSoft Servlets
• Communicates with AppServer
• Front end
PeopleSoft Application Server
DATABASE
Configuration and Deployment
Options
AppServer and database on same server
Configuration and Deployment
Options
PeopleSoft Pure Internet Architecture
 These 3 main components are common for all PeopleSoft
applications.
 All applications mainly differ only in business logic that exists in
a database.
 Pwning these components is equal to Pwning all application
types.
Attack from Internet hardcore
scenario
1. Get RCE on Peoplesoft WebServer
Recon Application Server in internal network
1. Get RCE on Application Server
On AppSvr side decrypt low level DB credentials.
1. Gain low level access to a database.
Get and decrypt high-level DB credentials from the db.
AccessID - «this account is the key to the kingdom»
1. Profit
Find PeopleSoft CS systems in WWW
Or other PeopleSoft Systems ...
Default PeopleSoft Servlets on
WebServer
 PORTAL.war - PeopleSoft Interaction Hub
 PSEMHUB.war - Environment Management Framework
 PSIGW.war - Integration gateway
 PSINTERLINKS.war - Business Interlinks
 PSPC.war - PeopleSoft PortletContainer Servlet.
Most Critical Known Bugs
 CVE-2017-10061 - RCE (CVSS v3 score – 8.3)
 CVE-2017-10366 – RCE (CVSS v3 score – 9.8)
 Any SSRF + lack authentication from localhost in PeopleSoft Apache
Axis component equal
RCE
 SSRF bugs: CVE-2013-3800, CVE-2013-3821, CVE-2017-3548,CVE-
2017-3547 ...
RCE on PeopleSoft
WebServer is
not a PROBLEM
RCE on PeopleSoft
WebServer is
not a PROBLEM
PSIGW.war
 CVE-2017-10061
 CVSS Severity (version 3.0): 8.3 High
 CVSS Version 3 Metrics:
 Attack Vector (AV): Network
 Attack Complexity (AC): Low
DEMO
Find AppSvr in internal network
$ pwd
/home/psadm2/apps/PORTAL.war
$ cat WEB-INF/psftdocs/ps/webprof/config_prop | grep -i
appserver -A 1
<string>appServer</string>
<string>192.168.56.101:9033</string>
 CVE-2017-10146 - Directory Traversal
 Attack Vector (AV):
 Network
 Attack Complexity (AC):
 Low
 Privileges Required (PR):
 None
Find AppSvr in internal network
Find AppSvr in internal network
Remote attack: hardcore scenario
1. Get RCE on Peoplesoft WebServer
Recon Application Server in internal network
1. Get RCE on Application Server
On AppSvr side decrypt low level DB credentials
1. Gain low level access to a database.
Get and decrypt «AccessID» from db.
AccessID - «this account is the key to the kingdom»
1. Profit
PeopleSoft AppServer
Some Theory
PeopleSoft AppServer
An application server consists of numerous PeopleSoft services and
server processes.
PeopleSoft AppServer processes
 PSAPPSRV
 PSQCKSRV
 PSQRYSRV
 PSSAMSRV
 PSOPTENG
 PSMSGDSP
 PSMSGHND
 PSPUBDSP
 PSPUBHND
 PSSUBDSP
 PSSUBHND
 WSL
 WSH
 JSL
 JSH
 RMI Services
 etc.
PeopleSoft AppServer
 Many processes = large attack surface
 But … most of them are binary, native code applications.
PeopleSoft AppServer
 After some research, we have found some interesting bugs. Now we
are trying to write exploits for them.
 But we don’t have RCE on AppServer yet.
PeopleSoft AppServer
 After some research, we have found some interesting bugs and now
we are trying to write exploits for them.
 But we don’t have RCE on AppServer yet.
Remote attack hardcore scenario
1. Get RCE on Peoplesoft WebServer
Recon Application Server in the internal network
2. Get RCE on Application Server
On the AppSvr side decrypt low level DB credentials
1. Gain low level access to a database.
Get and decrypt «AccessID» from the db.
AccessID - «this account is the key to the kingdom»
1. Profit
BUT ...
AppServer RMI service
We have PeopleSoft RMI service with hardcoded credentials...
AppServer RMI service
Java Remote Method Invocation (Java RMI) is a Java API that performs
remote method invocation, the object-oriented equivalent of remote
procedure calls (the RPC), with the support for direct transfer of
serialized Java classes and distributed garbage-collection.
PeopleSoft AppServer
AppServer RMI service
By using this service, we can get:
• AppSvr runtime info
• AppSvr Network statistic
• Java Memory pool info
• CPU Load info
• FileStore Information
• ...
• Access to AppServer logs
AppServer RMI service
By using this service, we can get:
• AppSvr runtime info
• AppSvr Network statistic
• Java Memory pool info
• CPU Load info
• FileStore Information
• ...
• Access to AppServer logs
AppServer RMI service
In some cases, access to AppServer logs can lead to a leakage of an
authentication token. For example, if debug logging is enabled on the
server side.
AppServer RMI service
DEMO
 RCE on PeopleSoft WebServer side
 We can read TOKEN from AppServer log:
 If debug mode is on
 It seems that debug mode is not common for PeopleSoft
production servers
 If we are lucky enough, we can get access to some account tokens.
What we have?
What we have?
1. Get RCE on Peoplesoft WebServer
Recon Application Server in the internal network
1. Get RCE on Application Server
On the AppSvr side decrypt low level DB credentials
We got partial “access” to Application Server
1. Gain low-level access to a database.
Get and decrypt «AccessID» from db.
AccessID - «this account is the key to the kingdom»
What do we have here?
But we can exploit another
bug...
DEMO
PeopleSoft Application Server
buffer over-read
We can disclose user passwords in plain text, remotely.
PeopleSoft Application Server
buffer over-read
Attack Scenario
 Get access to PeopleSoft web server
 Recon AppServer
 Passively dump credentials from AppServer
 Collect user names and passwords.
 Find accounts with high business roles in the system
 …
 Profit
What if we had RCE on the AppServer
The main target of those pentesting AppServer is psappsvr.cfg
But values in psappsvr.cfg are «encrypted».
psappsrv.cfg
 UserPswd=sC33X45qyMXPEbKTYHrJ06Fd31PfKYBdSEgL5e0i1vE=
 ConnectPswd=gizrWPhLwsI5KYakWwvJDLtoEGNNNG4lFfq8W5x/NpM=
 DomainConnectionPwd=iSTwU6g03N1UlzIng6I+fsXdd6L02b3iQrAW5Ah ...
psappsrv.cfg „decryption“
$ ubbgen -decr iSTwU6g03N1UlzIng6I+fsXdd6L02b3iQrAW5AhSeOo=
jahce6queiXeevoo1quo0nano #decrtypted password
ubbgen utility
UBBGEN’s usage prompt doesn’t show “-decr” and “-encr” options, it
seems that are «hidden».
ubbgen utility
UBBGEN’s usage prompt doesn’t show “-decr” and “-encr” options, it
seems that are «hidden».
psappsrv.cfg
 DBName=...
 DBType=...
 UserId=PS - # default PeopleSoft admin
 UserPswd=<encrypted password> # admin password
 ConnectID=people # default connection id
 ConnectPswd=<encrypted password>
PeopleSoft Administrator Role
(PS user)
This role does NOT have any access to critical business data.
ConnectID
 Real Database ID
 Required to establish the initial connection to the database
 Used by AppServer for initial authentication with PeopleSoft database
 Access to encrypted “AccessID”
PeopleSoft AppServer Sign In
 Initial connection.
 The application server uses the ConnectID and UserId specified in
its configuration file (PSAPPSRV.CFG) to perform the initial
connection to the database.
 The server performs a SQL Select statement on the security tables.
 Check UserID and UserPswd
 The server reconnects using the AccessID.
 The application server begins the persistent connection to the
database that all users use to access the database.
Getting encrypted AccesID
$ sqlplus «ConnecId»@«db ip address»:1522/«dbname»
$ select STM_ACCESS_PART1, STM_ACCESS_PART2, STM_ACCESS_ID,
STM_ACCESS_PSWD from SYSADM.PSACCESSPROFILE;
Getting encrypted AccesID
$ stmdecr <STM_ACCESS_PART1> <STM_ACCESS_PART2>
<STM_ACCESS_ID> <STM_ACCESS_PSWD>
Getting encrypted AccesID
stmdecr
stmdecr will be published soon … :|
Conclusion
• Implement latest CPUs
• Perform external Security Audits
Read our blog
erpscan.com/category/press-center/blog/
Join our webinars
erpscan.com/category/press-center/events/
Subscribe to our newsletters
eepurl.com/bef7h1
USA:
228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone 650.798.5255
EMEA:
Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
Phone +31 20 8932892
erpscan.com
inbox@erpscan.com
Thank you
Dmitry Yudin
Security Researcher at ERPScan
d.yudin@erpscan.com
PeopleSoft: HACK THE  Planet^W university
PeopleSoft: HACK THE  Planet^W university

More Related Content

What's hot

Provider ethernet vlan cross connect
Provider ethernet vlan cross connectProvider ethernet vlan cross connect
Provider ethernet vlan cross connect
Tasuka Hsu
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
Mohamed Shishtawy
 
Networking in Java with NIO and Netty
Networking in Java with NIO and NettyNetworking in Java with NIO and Netty
Networking in Java with NIO and Netty
Constantine Slisenka
 
Dexador Rises
Dexador RisesDexador Rises
Dexador Rises
fukamachi
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
KSQL: Open Source Streaming for Apache Kafka
KSQL: Open Source Streaming for Apache KafkaKSQL: Open Source Streaming for Apache Kafka
KSQL: Open Source Streaming for Apache Kafka
confluent
 
Adopting Java for the Serverless world at Serverless Meetup New York and Boston
Adopting Java for the Serverless world at Serverless Meetup New York and BostonAdopting Java for the Serverless world at Serverless Meetup New York and Boston
Adopting Java for the Serverless world at Serverless Meetup New York and Boston
Vadym Kazulkin
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
confluent
 
ACI Netflow 구성 가이드
ACI Netflow 구성 가이드ACI Netflow 구성 가이드
ACI Netflow 구성 가이드
Woo Hyung Choi
 
Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overview
confluent
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
Alexandre Moneger
 
From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT Traversal
Li-Wei Yao
 
Azure Key Vault Integration in Scala
Azure Key Vault Integration in ScalaAzure Key Vault Integration in Scala
Azure Key Vault Integration in Scala
Braja Krishna Das
 
Andrzej Ludwikowski - Event Sourcing - what could possibly go wrong? - Codemo...
Andrzej Ludwikowski - Event Sourcing - what could possibly go wrong? - Codemo...Andrzej Ludwikowski - Event Sourcing - what could possibly go wrong? - Codemo...
Andrzej Ludwikowski - Event Sourcing - what could possibly go wrong? - Codemo...
Codemotion
 
Kafka Security
Kafka SecurityKafka Security
Network automation with Ansible and Python
Network automation with Ansible and PythonNetwork automation with Ansible and Python
Network automation with Ansible and Python
Jisc
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
Netsparker
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
Sim Janghoon
 

What's hot (20)

Provider ethernet vlan cross connect
Provider ethernet vlan cross connectProvider ethernet vlan cross connect
Provider ethernet vlan cross connect
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
Networking in Java with NIO and Netty
Networking in Java with NIO and NettyNetworking in Java with NIO and Netty
Networking in Java with NIO and Netty
 
Dexador Rises
Dexador RisesDexador Rises
Dexador Rises
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
KSQL: Open Source Streaming for Apache Kafka
KSQL: Open Source Streaming for Apache KafkaKSQL: Open Source Streaming for Apache Kafka
KSQL: Open Source Streaming for Apache Kafka
 
Adopting Java for the Serverless world at Serverless Meetup New York and Boston
Adopting Java for the Serverless world at Serverless Meetup New York and BostonAdopting Java for the Serverless world at Serverless Meetup New York and Boston
Adopting Java for the Serverless world at Serverless Meetup New York and Boston
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
ACI Netflow 구성 가이드
ACI Netflow 구성 가이드ACI Netflow 구성 가이드
ACI Netflow 구성 가이드
 
Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overview
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
 
From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT Traversal
 
Azure Key Vault Integration in Scala
Azure Key Vault Integration in ScalaAzure Key Vault Integration in Scala
Azure Key Vault Integration in Scala
 
Andrzej Ludwikowski - Event Sourcing - what could possibly go wrong? - Codemo...
Andrzej Ludwikowski - Event Sourcing - what could possibly go wrong? - Codemo...Andrzej Ludwikowski - Event Sourcing - what could possibly go wrong? - Codemo...
Andrzej Ludwikowski - Event Sourcing - what could possibly go wrong? - Codemo...
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
Network automation with Ansible and Python
Network automation with Ansible and PythonNetwork automation with Ansible and Python
Network automation with Ansible and Python
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
 

Similar to PeopleSoft: HACK THE Planet^W university

Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
QConLondon2008
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
deimos
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
 
A great api is hard to find
A great api is hard to findA great api is hard to find
A great api is hard to find
Dan Diephouse
 
C# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access SecurityC# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access Security
Darren Sim
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
MongoDB
 
Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surface
Avi Shulman
 
Top 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must HaveTop 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must Have
IndumathySK
 
Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2
Vladimir Bacvanski, PhD
 
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
confluent
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
Cedar Consulting
 
Web Security
Web SecurityWeb Security
Web Security
Chatree Kunjai
 
website phishing by NR
website phishing by NRwebsite phishing by NR
website phishing by NR
NARESH GUMMAGUTTA
 
Creating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew TurlandCreating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew Turland
Matthew Turland
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 
CQRS and Event Sourcing
CQRS and Event Sourcing CQRS and Event Sourcing
CQRS and Event Sourcing
Inho Kang
 
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
Oracle Korea
 
CredHub and Secure Credential Management
CredHub and Secure Credential ManagementCredHub and Secure Credential Management
CredHub and Secure Credential Management
VMware Tanzu
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
My Saminar On Php
My Saminar On PhpMy Saminar On Php
My Saminar On Php
Arjun Kumawat
 

Similar to PeopleSoft: HACK THE Planet^W university (20)

Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
A great api is hard to find
A great api is hard to findA great api is hard to find
A great api is hard to find
 
C# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access SecurityC# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access Security
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surface
 
Top 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must HaveTop 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must Have
 
Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2
 
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
 
Web Security
Web SecurityWeb Security
Web Security
 
website phishing by NR
website phishing by NRwebsite phishing by NR
website phishing by NR
 
Creating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew TurlandCreating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew Turland
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
 
CQRS and Event Sourcing
CQRS and Event Sourcing CQRS and Event Sourcing
CQRS and Event Sourcing
 
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
 
CredHub and Secure Credential Management
CredHub and Secure Credential ManagementCredHub and Secure Credential Management
CredHub and Secure Credential Management
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
My Saminar On Php
My Saminar On PhpMy Saminar On Php
My Saminar On Php
 

Recently uploaded

快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call GirlsBangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
narwatsonia7
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
Emre Gündoğdu
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
Federico Ast
 

Recently uploaded (13)

快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call GirlsBangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
 

PeopleSoft: HACK THE Planet^W university

  • 1. PeopleSoft: HACK THE Planet^W universityby Dmitry Iudin, Security Researcher at ERPScan
  • 3.
  • 4.
  • 5. PeopleSoft Used by: Universities Government and its institutions Large enterprises, etc.
  • 6. PeopleSoft Campus solutions Human Capital Management Financial Management Supplier Relationship Management …
  • 7. Attack Targets  Personal information  SSN  Salary data  Payment information  Credit card data  Bank account data Bidding information - RFP - Prices
  • 8. Attack Targets  Espionage  Theft of financial information  Corporate trade secret theft  Theft of supplier and customer lists  Stealing HR data (employee data theft)  Sabotage  Denial of service  Tampering with financial reports Fraud - False transactions - Modification of master data
  • 10. A Bit of Theory
  • 11. PeopleSoft Pure Internet Architecture
  • 13. Web Server • Host PeopleSoft Servlets • Communicates with AppServer • Front end
  • 16. Configuration and Deployment Options AppServer and database on same server
  • 18. PeopleSoft Pure Internet Architecture  These 3 main components are common for all PeopleSoft applications.  All applications mainly differ only in business logic that exists in a database.  Pwning these components is equal to Pwning all application types.
  • 19. Attack from Internet hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in internal network 1. Get RCE on Application Server On AppSvr side decrypt low level DB credentials. 1. Gain low level access to a database. Get and decrypt high-level DB credentials from the db. AccessID - «this account is the key to the kingdom» 1. Profit
  • 20. Find PeopleSoft CS systems in WWW
  • 21. Or other PeopleSoft Systems ...
  • 22. Default PeopleSoft Servlets on WebServer  PORTAL.war - PeopleSoft Interaction Hub  PSEMHUB.war - Environment Management Framework  PSIGW.war - Integration gateway  PSINTERLINKS.war - Business Interlinks  PSPC.war - PeopleSoft PortletContainer Servlet.
  • 23. Most Critical Known Bugs  CVE-2017-10061 - RCE (CVSS v3 score – 8.3)  CVE-2017-10366 – RCE (CVSS v3 score – 9.8)  Any SSRF + lack authentication from localhost in PeopleSoft Apache Axis component equal RCE  SSRF bugs: CVE-2013-3800, CVE-2013-3821, CVE-2017-3548,CVE- 2017-3547 ...
  • 24. RCE on PeopleSoft WebServer is not a PROBLEM
  • 25. RCE on PeopleSoft WebServer is not a PROBLEM
  • 26. PSIGW.war  CVE-2017-10061  CVSS Severity (version 3.0): 8.3 High  CVSS Version 3 Metrics:  Attack Vector (AV): Network  Attack Complexity (AC): Low
  • 27. DEMO
  • 28. Find AppSvr in internal network $ pwd /home/psadm2/apps/PORTAL.war $ cat WEB-INF/psftdocs/ps/webprof/config_prop | grep -i appserver -A 1 <string>appServer</string> <string>192.168.56.101:9033</string>
  • 29.  CVE-2017-10146 - Directory Traversal  Attack Vector (AV):  Network  Attack Complexity (AC):  Low  Privileges Required (PR):  None Find AppSvr in internal network
  • 30. Find AppSvr in internal network
  • 31. Remote attack: hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in internal network 1. Get RCE on Application Server On AppSvr side decrypt low level DB credentials 1. Gain low level access to a database. Get and decrypt «AccessID» from db. AccessID - «this account is the key to the kingdom» 1. Profit
  • 34. PeopleSoft AppServer An application server consists of numerous PeopleSoft services and server processes.
  • 35. PeopleSoft AppServer processes  PSAPPSRV  PSQCKSRV  PSQRYSRV  PSSAMSRV  PSOPTENG  PSMSGDSP  PSMSGHND  PSPUBDSP  PSPUBHND  PSSUBDSP  PSSUBHND  WSL  WSH  JSL  JSH  RMI Services  etc.
  • 36. PeopleSoft AppServer  Many processes = large attack surface  But … most of them are binary, native code applications.
  • 37. PeopleSoft AppServer  After some research, we have found some interesting bugs. Now we are trying to write exploits for them.  But we don’t have RCE on AppServer yet.
  • 38. PeopleSoft AppServer  After some research, we have found some interesting bugs and now we are trying to write exploits for them.  But we don’t have RCE on AppServer yet.
  • 39. Remote attack hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in the internal network 2. Get RCE on Application Server On the AppSvr side decrypt low level DB credentials 1. Gain low level access to a database. Get and decrypt «AccessID» from the db. AccessID - «this account is the key to the kingdom» 1. Profit
  • 40.
  • 42. AppServer RMI service We have PeopleSoft RMI service with hardcoded credentials...
  • 43. AppServer RMI service Java Remote Method Invocation (Java RMI) is a Java API that performs remote method invocation, the object-oriented equivalent of remote procedure calls (the RPC), with the support for direct transfer of serialized Java classes and distributed garbage-collection.
  • 45. AppServer RMI service By using this service, we can get: • AppSvr runtime info • AppSvr Network statistic • Java Memory pool info • CPU Load info • FileStore Information • ... • Access to AppServer logs
  • 46. AppServer RMI service By using this service, we can get: • AppSvr runtime info • AppSvr Network statistic • Java Memory pool info • CPU Load info • FileStore Information • ... • Access to AppServer logs
  • 47. AppServer RMI service In some cases, access to AppServer logs can lead to a leakage of an authentication token. For example, if debug logging is enabled on the server side.
  • 49.  RCE on PeopleSoft WebServer side  We can read TOKEN from AppServer log:  If debug mode is on  It seems that debug mode is not common for PeopleSoft production servers  If we are lucky enough, we can get access to some account tokens. What we have?
  • 50. What we have? 1. Get RCE on Peoplesoft WebServer Recon Application Server in the internal network 1. Get RCE on Application Server On the AppSvr side decrypt low level DB credentials We got partial “access” to Application Server 1. Gain low-level access to a database. Get and decrypt «AccessID» from db. AccessID - «this account is the key to the kingdom»
  • 51. What do we have here?
  • 52. But we can exploit another bug...
  • 53. DEMO
  • 54. PeopleSoft Application Server buffer over-read We can disclose user passwords in plain text, remotely.
  • 56. Attack Scenario  Get access to PeopleSoft web server  Recon AppServer  Passively dump credentials from AppServer  Collect user names and passwords.  Find accounts with high business roles in the system  …  Profit
  • 57. What if we had RCE on the AppServer The main target of those pentesting AppServer is psappsvr.cfg But values in psappsvr.cfg are «encrypted».
  • 59. psappsrv.cfg „decryption“ $ ubbgen -decr iSTwU6g03N1UlzIng6I+fsXdd6L02b3iQrAW5AhSeOo= jahce6queiXeevoo1quo0nano #decrtypted password
  • 60. ubbgen utility UBBGEN’s usage prompt doesn’t show “-decr” and “-encr” options, it seems that are «hidden».
  • 61. ubbgen utility UBBGEN’s usage prompt doesn’t show “-decr” and “-encr” options, it seems that are «hidden».
  • 62. psappsrv.cfg  DBName=...  DBType=...  UserId=PS - # default PeopleSoft admin  UserPswd=<encrypted password> # admin password  ConnectID=people # default connection id  ConnectPswd=<encrypted password>
  • 63. PeopleSoft Administrator Role (PS user) This role does NOT have any access to critical business data.
  • 64. ConnectID  Real Database ID  Required to establish the initial connection to the database  Used by AppServer for initial authentication with PeopleSoft database  Access to encrypted “AccessID”
  • 65. PeopleSoft AppServer Sign In  Initial connection.  The application server uses the ConnectID and UserId specified in its configuration file (PSAPPSRV.CFG) to perform the initial connection to the database.  The server performs a SQL Select statement on the security tables.  Check UserID and UserPswd  The server reconnects using the AccessID.  The application server begins the persistent connection to the database that all users use to access the database.
  • 66. Getting encrypted AccesID $ sqlplus «ConnecId»@«db ip address»:1522/«dbname»
  • 67. $ select STM_ACCESS_PART1, STM_ACCESS_PART2, STM_ACCESS_ID, STM_ACCESS_PSWD from SYSADM.PSACCESSPROFILE; Getting encrypted AccesID
  • 68. $ stmdecr <STM_ACCESS_PART1> <STM_ACCESS_PART2> <STM_ACCESS_ID> <STM_ACCESS_PSWD> Getting encrypted AccesID
  • 69. stmdecr stmdecr will be published soon … :|
  • 70. Conclusion • Implement latest CPUs • Perform external Security Audits
  • 71. Read our blog erpscan.com/category/press-center/blog/ Join our webinars erpscan.com/category/press-center/events/ Subscribe to our newsletters eepurl.com/bef7h1 USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 Phone 650.798.5255 EMEA: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam Phone +31 20 8932892 erpscan.com inbox@erpscan.com Thank you Dmitry Yudin Security Researcher at ERPScan d.yudin@erpscan.com