Interesting engagement I had a few weeks ago, a client wanted assurance on their ERP – Oracle E-Business suite, to be specific. I spent a few weeks just to formulate an efficient strategy and be able to cover most controls from an insider threat perspective and an external authenticated attacker angle.
For this post, I shall focus on an external unauthenticated attacker angle with a bias to information disclosure, hence the title. No intrusion – give us consent to your environment and I shall be happy to demo. 🙂
The Oracle EBS suite is a pretty massive estate – version 11 for instance is reported to have around 15000 JSP files, 800 enabled PL/SQL packages and procedures,countless forms, countless servlets etc. This, ofcourse, increases the attack surface considerably: attackers are happy, blue teamers should be worried.
Before we dive in to Oracle EBS, I should say SAP also has its own vulnerabilities too, which I should cover in coming weeks especially around permissions, storage of passwords and use of default user credentials –SAP, DDIC, EARLYWATCH, anyone?
What info can we get from Oracle EBS version 11 as an external unauthenticated user?
- Log files:
What do most log files usually have? username, source IP/name, destination IP/name, protocols in use, descriptive error messages, service name/properties, right? What if I told you can get all that as an unauthenticated external user?
Focus on the blurred parameters and the framed items in the screenshot. Lots of (useful) information, don’t you think?
2. Upload folder
As an unauthenticated user i.e. guest user one is able to reach an upload page…
Looking closely, we can see that we are authenticated.. It would interest you to find out what you can upload and how it impacts the security of your EBS suite. As earlier promised?, I won’t delve much into the exploitation, but rather focus on the amount of information an unauthenticated attacker has access to.
3. Cookie properties:
Any attacker loves cookies. Main reason: they hold keys to sessions:
4. Create form:
Want to create a form? As an unauthenticated user? No problem
5. Status of servlets:
Want to know version of servlets and if they are working? No problem!
6. A few configuration files:
7. Version disclosure:
8. Diagnostics page:
A cool diagnostics page to get even more information 🙂
8. Username and Passwords:
Saving the best for last – username and passwords!!!!!!
The above passwords are SHA-1 encrypted and are easily decrypted. As a matter of fact the above are the default passwords shipped with the Oracle installation.
Remember this is just got by sampling some of the JSPs, servlets and forms. It is not realistic to scope in an engagement for all the JSPs as an external infosec consultant. As a resident infosec engineer, I would be keen on all the services, JSPs, servlets, forms etc. Remember: attackers need to get it right only once, blue team needs to get it right ALL the time.
Also, keep in mind while doing a security audit for an ERP, focus is how much data can we get and not necessarily an OS shell.
This post wouldn’t be complete without some mitigating controls:
- Reduce attacker surface by removing the JSPs, servlets, services, forms not in use. This should be a well planned operation and involvement from the business is key. Trust me you should be able to reduce attack surface by up to 95%. I would be happy to hear feedback on this..:-)
- Apply periodic Oracle EBS critical patch updates CPUs – this is very key.
- Block access to links that an unauthenticated user wouldn’t need access to – you could start with the ones demonstrated in this post and others that you discover; create a custom 404 page to redirect traffic to these pages.
- Review access logs and disable unnecessary access
I should be putting up another post on the EBS version 12 pretty soon…cheers!
Alfie Njeru 
One thought on “Do you know what your ERP is telling us?”