Oracle EBS Security auditing

Posted byAlfiePosted inApplication Security, database security, ERP security, OS SecurityTags:, , , ,

So this is my attempt to improve on this post I wrote last year and other tests that I find helpful. Whatever is outlined here really is a tip of the iceberg and further tests should definitely be done depending on scope, objectives…

Application testing:

Controls to test:

  • Default application account credentials
  • Weak application password controls
  • Poor patching policies
  • Directory listing / sensitive information exposure
  • Segregation of duties / roles and responsibilities
  • Etc

Default application account credentials:

I have created a list of common default accounts on the application and uploaded on github, feel free to add to the list / ping me on twitter. TBH, this issue is quite common among most instances I have the pleasure of auditing and mostly gives you system administrator privileges on the portal.

Other tests to perform on the application to perhaps gain access are here.

Solution:  disable the default app accounts;

Weak application password controls

Over and above the normal password complexity settings on the application, I found that if the passwords are not hashed and you have the APPS password, one could decrypt ALL the application user passwords!!

no hashed

Lack of patching:

Simple select statement to view patch levels:

SELECT
patch_name
, patch_type
, maint_pack_level
, creation_date
FROM applsys.ad_applied_patches
ORDER BY creation_date DESC

Lack of patching on the app leads to many  OWASP Top 10 vulnerabilities including but not limited to XSS, SQLis – most discovered by the guys below. A common example is the reflected XSS on the jtfLOVInProcess.jsp. Many other jsps on the EBS suffer from these issues. These include: ibeCZzpEntry.jsp, cskmrelstmts.jsp, cskmslctcat.jsp, cskmslctplat.jsp, csm5Sync.jsp, ibeCScdAgrmntDetail.jsp, ibutpqs.jsp, ieccaleassignexception.jsp and ieccaleexception.jsp

XSS

Solution: Patch. Patch. Patch.

Directory listing / sensitive information exposure

See post here

Solution: Reduce the attack surface by removing the JSPs not in use.

Big shoutout to the guys below for being ready to help the community in the ERP space:

  • David Litchfield
  • Integrigy
  • Onapsis

< Post in progress/>

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: