Oracle EBS Security auditing

So this is my attempt to improve on this post I wrote last year and other tests that I find helpful. Whatever is outlined here really is a tip of the iceberg and further tests should definitely be done depending on scope, objectives…

Application testing:

Controls to test:

  • Default application account credentials
  • Weak application password controls
  • Poor patching policies
  • Directory listing / sensitive information exposure
  • Segregation of duties / roles and responsibilities
  • Etc

Default application account credentials:

I have created a list of common default accounts on the application and uploaded on github, feel free to add to the list / ping me on twitter. TBH, this issue is quite common among most instances I have the pleasure of auditing and mostly gives you system administrator privileges on the portal.

Other tests to perform on the application to perhaps gain access are here.

Solution:  disable the default app accounts;

Weak application password controls

Over and above the normal password complexity settings on the application, I found that if the passwords are not hashed and you have the APPS password, one could decrypt ALL the application user passwords!!

no hashed

Lack of patching:

Simple select statement to view patch levels:

SELECT
patch_name
, patch_type
, maint_pack_level
, creation_date
FROM applsys.ad_applied_patches
ORDER BY creation_date DESC

Lack of patching on the app leads to many  OWASP Top 10 vulnerabilities including but not limited to XSS, SQLis – most discovered by the guys below. A common example is the reflected XSS on the jtfLOVInProcess.jsp. Many other jsps on the EBS suffer from these issues.

XSS

Solution: Patch. Patch. Patch.

Directory listing / sensitive information exposure

See post here

Solution: Reduce the attack surface by removing the JSPs not in use.

Big shoutout to the guys below for being ready to help the community in this ERP space:

  • David Litchfield
  • Integrigy
  • Onapsis

< Post in progress/>

Advertisements

Blackhat Europe 2017 – conference notes

I had the pleasure to attend the Blackhat Europe 2017 in London – and it was enlightening! In this post, I shall provide links to the slide decks, videos and tools shared during the demonstrations, briefings and various talks. The abstracts for the briefings can be found on the official Blackhat Europe website.

 

1.Black Hat Europe 2017 youtube playlist (continuously being updated):

 

2. Presentation slide decks:

LOST IN TRANSACTION: PROCESS DOPPELGÄNGING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

HOW TO HACK A TURNED-OFF COMPUTER, OR RUNNING UNSIGNED CODE IN INTEL MANAGEMENT ENGINE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf

EXPOSING HIDDEN EXPLOITABLE BEHAVIORS IN PROGRAMMING LANGUAGES USING DIFFERENTIAL FUZZING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Arnaboldi-Exposing-Hidden-Exploitable-Behaviors-In-Programming-Languages-Using-Differential-Fuzzing-wp.pdf

ATTACKING NEXTGEN ROAMING NETWORKS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Schmidt-Attacking-Next-Gen-Roaming-Networks.pdf

BLUEBORNE – A NEW CLASS OF AIRBORNE ATTACKS THAT CAN REMOTELY COMPROMISE ANY LINUX/IOT DEVICE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Seri-BlueBorne-A-New-Class-Of-Airborne-Attacks-Compromising-Any-Bluetooth-Enabled-Linux-IoT-Device.pdf

NATION-STATE MONEYMULE’S HUNTING SEASON – APT ATTACKS TARGETING FINANCIAL INSTITUTIONS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Shen-Nation-State%20Moneymules-Hunting-Season-APT-Attacks-Targeting-Financial-Institutions.pdf

SECURITY THROUGH DISTRUSTING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Rutkowska-Security-Through-Distrusting.pdf

EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Atch-Exfiltrating-Reconnaissance-Data-From-Air-Gapped-Ics-Scada-Networks.pdf

THE GREAT ESCAPES OF VMWARE: A RETROSPECTIVE CASE STUDY OF VMWARE G2H ESCAPE VULNERABILITIES:https://www.blackhat.com/docs/eu-17/materials/eu-17-Mandal-The-Great-Escapes-Of-Vmware-A-Retrospective-Case-Study-Of-Vmware-G2H-Escape-Vulnerabilities.pdf
A PROCESS IS NO ONE: HUNTING FOR TOKEN MANIPULATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf

A UNIVERSAL CONTROLLER TO TAKE OVER A Z-WAVE NETWORK:https://www.blackhat.com/docs/eu-17/materials/eu-17-Rouch-A-Universal-Controller-To-Take-Over-A-Z-Wave-Network.pdf

ATTACKS AGAINST GSMA’S M2M REMOTE PROVISIONING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Meyer-Attacks-Against-GSMAS-M2M-Remote-Provisioning.pdf

AUTOMATIC DISCOVERY OF EVASION VULNERABILITIES USING TARGETED PROTOCOL FUZZING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Levomaki-Automatic-Discovery-Of-Evasion-Vulnerabilities-Using-Targeted-Protocol-Fuzzing.pdf
BECOMING YOU: A GLIMPSE INTO CREDENTIAL ABUSE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Burney-Becoming-You-A-Glimpse-Into-Credential-Abuse.pdf

BREAKING BAD: STEALING PATIENT DATA THROUGH MEDICAL DEVICES:https://www.blackhat.com/docs/eu-17/materials/eu-17-Harit-Breaking-Bad-Stealing-Patient-Data-Through-Medical-Devices.pdf

BREAKING OUT HSTS (AND HPKP) ON FIREFOX IE/EDGE AND (POSSIBLY) CHROME:https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf

BY-DESIGN BACKDOORING OF ENCRYPTION SYSTEM – CAN WE TRUST FOREIGN ENCRYPTION ALGORITHMS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Filiol-By-Design-Backdooring-Of-Encryption-System-Can-We-Trust-Foreign-Encryption-Algorithms.pdf

CALDERA: AUTOMATING ADVERSARY EMULATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Miller-CALDERA-Automating-Adversary-Emulation.pdf

CLKSCREW: EXPOSING THE PERILS OF SECURITY-OBLIVIOUS ENERGY MANAGEMENT:https://www.blackhat.com/docs/eu-17/materials/eu-17-Tang-Clkscrew-Exposing-The-Perils-Of-Security-Oblivious-Energy-Management.pdf

DEALING THE PERFECT HAND – SHUFFLING MEMORY BLOCKS ON Z/OS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Elaassal-Dealing-The-Perfect-Hand-Shuffling-Memory-Blocks-On-ZOS.pdf

DIFUZZING ANDROID KERNEL DRIVERS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Corina-Difuzzing-Android-Kernel-Drivers.pdf

ENRAPTURED MINDS: STRATEGIC GAMING OF COGNITIVE MINDHACKShttps://www.blackhat.com/docs/eu-17/materials/eu-17-Kropotov-Enraptured-Minds-Strategic-Gaming-Of-Cognitive-Mindhacks.pdf

FED UP GETTING SHATTERED AND LOG JAMMED? A NEW GENERATION OF CRYPTO IS COMINGhttps://www.blackhat.com/docs/eu-17/materials/eu-17-Wong-Fed-Up-Getting-Shattered-And-Log-Jammed-A-New-Generation-Of-Crypto-Is-Coming.pdf

GDPR AND THIRD PARTY JS – CAN IT BE DONE?:https://www.blackhat.com/docs/eu-17/materials/eu-17-Grushcovski-GDPR-And-Third-Party-JS-Can-It-Be-Done.pdf

HEAP LAYOUT OPTIMISATION FOR EXPLOITATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Heelan-Heap-Layout-Optimisation-For-Exploitation.pdf

HIDING PIN’S ARTIFACTS TO DEFEAT EVASIVE MALWARE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Polino-Hiding-Pins-Artifacts-To-Defeat-Evasive-Malware.pdf

HOW SAMSUNG SECURES YOUR WALLET AND HOW TO BREAK IT:https://www.blackhat.com/docs/eu-17/materials/eu-17-Ma-How-Samsung-Secures-Your-Wallet-And-How-To-Break-It.pdf

HOW TO ROB A BANK OVER THE PHONE – LESSONS LEARNED AND REAL AUDIO FROM AN ACTUAL SOCIAL ENGINEERING ENGAGEMENT:https://www.blackhat.com/docs/eu-17/materials/eu17-Crumbaugh-How-To-Rob-A-Bank-Over-The-Phone.pdf

I TRUST MY ZOMBIES: A TRUST-ENABLED BOTNET: https://www.blackhat.com/docs/eu-17/materials/eu-17-Vasilomanolakis-I-Trust-My-Zombies-A-Trust-Enabled-Botnet.pdf

INSIDE ANDROID’S SAFETYNET ATTESTATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Mulliner-Inside-Androids-SafetyNet-Attestation.pdf

INTEL ME: FLASH FILE SYSTEM EXPLAINED:https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained.pdf
JAILBREAKING APPLE WATCH:https://www.blackhat.com/docs/eu-17/materials/eu-17-Bazaliy-Jailbreaking-Apple-Watch.pdf

KEY REINSTALLATION ATTACKS: BREAKING THE WPA2 PROTOCOL:https://www.blackhat.com/docs/eu-17/materials/eu-17-Vanhoef-Key-Reinstallation-Attacks-Breaking-The-WPA2-Protocol.pdf

PASSIVE FINGERPRINTING OF HTTP/2 CLIENTS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Shuster-Passive-Fingerprinting-Of-HTTP2-Clients.pdf

RED TEAM TECHNIQUES FOR EVADING BYPASSING AND DISABLING MS ADVANCED THREAT PROTECTION AND ADVANCED THREAT ANALYTICS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Thompson-Red-Team-Techniques-For-Evading-Bypassing-And-Disabling-MS-Advanced-Threat-Protection-And-Advanced-Threat-Analytics.pdf

RO(O)TTEN APPLES: VULNERABILITY HEAVEN IN THE IOS SANDBOX:https://www.blackhat.com/docs/eu-17/materials/eu-17-Donenfeld-Rooten-Apples-Vulnerability-Heaven-In-The-IOS-Sandbox.pdf

SELF-VERIFYING AUTHENTICATION – A FRAMEWORK FOR SAFER INTEGRATIONS OF SINGLE-SIGN-ON SERVICES:https://www.blackhat.com/docs/eu-17/materials/eu-17-Chen-Self-Verifying-Authentication-A-Framework-For-Safer-Integrations-Of-Single-Sign-On-Services.pdf

THE APPLE OF YOUR EFI: AN UPDATED ANALYSIS OF THE STATE OF APPLE’S EFI SECURITY SUPPORT:https://www.blackhat.com/docs/eu-17/materials/eu-17-Smith-The-Apple-Of-Your-EFI-An-Updated-Analysis-Of-The-State-Of-Apples-EFI-Security-Support.pdf

THE SPEAR TO BREAK THE SECURITY WALL OF S7COMMPLUS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Lei-The-Spear-To-Break%20-The-Security-Wall-Of-S7CommPlus.pdf

WI-FI DIRECT TO HELL: ATTACKING WI-FI DIRECT PROTOCOL IMPLEMENTATIONS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Blanco-WI-FI-Direct-To-Hell-Attacking-WI-FI-Direct-Protocol-Implementations.pdf

ZERO DAYS THOUSANDS OF NIGHTS: THE LIFE AND TIMES OF ZERO-DAY VULNERABILITIES AND THEIR EXPLOITS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Ablon-Zero-Days-Thousands-Of-Nights-The-Life-And-Times-Of-Zero-Day-Vulnerabilities-And-Their-Exploits.pdf

From Shodan to Remote Code Execution #1 – hacking Jenkins

In this era of extreme automation, whether for development, programming deployment or even security management are we getting closer to security maturity or are we better off without the automation?

In the next posts, I hope to uncover some of the tools/ applications employed on enterprises geared towards automation and better security but end up exposing and increasing surface area for attack. We start with Jenkins.

Jenkins  is an open source automation server written in Java. Jenkins helps to automate the non-human part of software development process, with continuous integration and facilitating technical aspects of continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat. It supports version control tools, including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, ClearCase and RTC, and can execute Apache Ant, Apache Maven and sbt based projects as well as arbitrary shell scripts and Windows batch commands.

It is used by several organizations globally and a quick Shodan search gives over 300,000 instances publicly accessible over the internet.

usage_

We shift focus quickly to see if there are some portal instances on port 8081 and the figure goes down..

8081

Of these, some require credentials…..and some don’t 🙂 …some even have the Manage Jenkins option which simply means among other things we are a somewhat privileged user (eg jenkins user) and can install plugins of choice.

good dash_

Most people I know would opt to install terminal plugin..for obvious reasons..

manage plugins_

 

Running some commands.. :-O

commands_

Enough!

 

 

 

 

 

From Shodan to Remote Code Execution #2 – hacking OpenDreambox 2.0.0

A sequel to the last post of what is now becoming a series of “From Shodan to remote code execution”, we now take a look at how to hack misconfigured Dreambox installations. Dreambox is a company which offers Digital TV set top boxes and other related services.

Shodan search:

Perform a shodan search as below:

shodan search_

Go through the portals in the search results. The indicator of a vulnerable dreambox installation is the presence of webadmin plugin as below:

webadmin-plugin_.png

From the address bar run linux commands using the syntax: http://IP/PORT/webadmin/script?command=|”linux_command” as shown below:

id _

etc passwd_

etc shadow_

whoami_

cat issue_

 

Credits:  Jonatas Fil, the discoverer of the vulnerability.

Penetration testing Sharepoint

Like any normal web application, Sharepoint may fall prey to OWASP Top 10 vulnerabilities with a special focus on XSS, mostly due to inadequate patching and misconfiguration. On this post, we focus on recon / what sharepoint is exposing.

Google Dorks FTW!:

Some google dorks to help you find sharepoint installations exposed to the web as below. It would be wise to add the parameters “site:yoursite.com < then the below dorks>” to narrow down the search and discover what your sharepoint installation is exposing to the public.

google dork1_

dork4_

googledork3_

googledorks2_

Fuzz:

From the above, we can view a lot of documents, which you may not necessarily need to expose. In addition to the classified documents seen above we can also :

  • discover Sharepoint version installed
  • discover the Sharepoint web services configured on the application
  • enumerate users
  • view default SharePoint _layouts, _catalogs, configuration settings and forms

How?

I prefer to use this fuzzer, but you can use dirbuster, fuzzdb etc. I have over time come up with a list to feed the fuzzer.

Run the scanner as below and discover all the information that your sharepoint installation is exposing to the public 🙂

scan_

Going to the pages with HTTP status code 200, we find:

  1. Frontpage server extensions and sharepoint versions:

_vti_inf_.html

2. Sharepoint web services:

_vti_bin_spdisco_.aspx

3. Default layouts:

viewlsts_

etc…you get the drift.

What to do?

  • Patch.
  • Restrict / remove default pages, forms, layouts

Do you know what your ERP is telling us?

Interesting engagement I had a few weeks ago, a client wanted assurance on their ERP – Oracle E-Business suite, to be specific. I spent a few weeks just to formulate an efficient strategy and be able to cover most controls from an insider threat perspective and an external authenticated attacker angle.

For this post, I shall focus on an external unauthenticated attacker angle with a bias to information disclosure, hence the title. No intrusion – give us consent to your environment and I shall be happy to demo. 🙂

The Oracle EBS suite is a pretty massive estate – version 11 for instance is reported to have around 15000 JSP files, 800 enabled PL/SQL packages and procedures,countless forms, countless servlets etc. This, ofcourse, increases the attack surface considerably: attackers are happy, blue teamers should be worried.

Before we dive in to Oracle EBS, I should say SAP also has its own vulnerabilities too, which I should cover in coming weeks especially around permissions, storage of passwords and use of default user credentials –SAP, DDIC, EARLYWATCH, anyone?

What info can we get from Oracle EBS version 11 as an external unauthenticated user?

  1. Log files:

What do most log files usually have? username, source IP/name, destination IP/name, protocols in use, descriptive error messages, service name/properties, right? What if I told you can get all that as an unauthenticated external user?

sqlnetlog_edit

Focus on the blurred parameters and the framed items in the screenshot. Lots of (useful) information, don’t you think?

         2. Upload folder

As an unauthenticated user i.e. guest user one is able to reach an upload page…

upload_master_edit

Looking closely, we can see that we are authenticated.. It would interest you to find out what you can upload and how it impacts the security of your EBS suite. As earlier promised?, I won’t delve much into the exploitation, but rather focus on the amount of information an unauthenticated attacker has access to.

         3. Cookie properties:

Any attacker loves cookies. Main reason: they hold keys to sessions:

cookies_edit

         4. Create form:

Want to create a form? As an unauthenticated user? No problem

createform_edit

           5. Status of servlets:

Want to know version of servlets and if they are working? No problem!

working_edit

               6.  A few configuration files:

pasta_edit

                7. Version disclosure:

servlet version_edit

8. Diagnostics page:

A cool diagnostics page to get even more information 🙂

AOL test_edit

8. Username and Passwords:

Saving the best for last – username and passwords!!!!!!

Passwords_edit

The above passwords are SHA-1 encrypted and are easily decrypted. As a matter of fact the above are the default passwords shipped with the Oracle installation.

Remember this is just got by sampling some of the JSPs, servlets and forms. It is not realistic to scope in an engagement for all the JSPs as an external infosec consultant. As a resident infosec engineer, I would be keen on all the services, JSPs, servlets, forms etc. Remember: attackers need to get it right only once, blue team needs to get it right ALL the time.

Also, keep in mind while doing a security audit for an ERP, focus is how much data can we get and not necessarily an OS shell.

This post wouldn’t be complete without some mitigating controls:

  • Reduce attacker surface by removing the JSPs, servlets, services, forms not in use. This should be a well planned operation and involvement from the business is key. Trust me you should be able to reduce attack surface by up to 95%. I would be happy to hear feedback on this..:-)
  • Apply periodic Oracle EBS critical patch updates CPUs – this is very key.
  • Block access to links that an unauthenticated user wouldn’t need access to – you could start with the ones demonstrated in this post and others that you discover; create a custom 404 page to redirect traffic to these pages.
  • Review access logs and disable unnecessary access

I should be putting up another post on the EBS version 12 pretty soon…cheers!