Oracle EBS Security auditing

So this is my attempt to improve on this post I wrote last year and other tests that I find helpful. Whatever is outlined here really is a tip of the iceberg and further tests should definitely be done depending on scope, objectives…

Application testing:

Controls to test:

  • Default application account credentials
  • Weak application password controls
  • Poor patching policies
  • Directory listing / sensitive information exposure
  • Segregation of duties / roles and responsibilities
  • Etc

Default application account credentials:

I have created a list of common default accounts on the application and uploaded on github, feel free to add to the list / ping me on twitter. TBH, this issue is quite common among most instances I have the pleasure of auditing and mostly gives you system administrator privileges on the portal.

Other tests to perform on the application to perhaps gain access are here.

Solution:  disable the default app accounts;

Weak application password controls

Over and above the normal password complexity settings on the application, I found that if the passwords are not hashed and you have the APPS password, one could decrypt ALL the application user passwords!!

no hashed

Lack of patching:

Simple select statement to view patch levels:

SELECT
patch_name
, patch_type
, maint_pack_level
, creation_date
FROM applsys.ad_applied_patches
ORDER BY creation_date DESC

Lack of patching on the app leads to many  OWASP Top 10 vulnerabilities including but not limited to XSS, SQLis – most discovered by the guys below. A common example is the reflected XSS on the jtfLOVInProcess.jsp. Many other jsps on the EBS suffer from these issues. These include: ibeCZzpEntry.jsp, cskmrelstmts.jsp, cskmslctcat.jsp, cskmslctplat.jsp, csm5Sync.jsp, ibeCScdAgrmntDetail.jsp, ibutpqs.jsp, ieccaleassignexception.jsp and ieccaleexception.jsp

XSS

Solution: Patch. Patch. Patch.

Directory listing / sensitive information exposure

See post here

Solution: Reduce the attack surface by removing the JSPs not in use.

Update!

Arbitrary File Access vulnerability

Some of the Oracle EBS JSPs are vulnerable to arbitrary file access vulnerabilities eg. bispgrapgh.jsp. I added a check on Nuclei to automate the testing of this 🙂

Big shoutout to the guys below for being ready to help the community in this ERP space:

  • David Litchfield
  • Integrigy
  • Onapsis

< Post in progress/>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: