1 / 36

HR Hacking – bugs in PeopleSoft Alexey Tyurin Director of consulting department in ERPScan

HR Hacking – bugs in PeopleSoft Alexey Tyurin Director of consulting department in ERPScan. Alexey Tyurin. Director of consulting in ERPScan XML/WEB/Win/Network security fun Hacked a lot of online banking systems Co-Organizer of Defcon Russia Group

yorick
Download Presentation

HR Hacking – bugs in PeopleSoft Alexey Tyurin Director of consulting department in ERPScan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HR Hacking – bugs in PeopleSoftAlexey Tyurin Director of consulting department in ERPScan

  2. Alexey Tyurin • Director of consulting in ERPScan • XML/WEB/Win/Network security fun • Hacked a lot of online banking systems • Co-Organizer of Defcon Russia Group • Editor of “EasyHack” column for the “Xakep” magazine @antyurin ERPScan — invest in security to secure investments

  3. What is it? Oracle PeopleSoft Apps: HRMS, FMS, SCM, CRM, EPM Can work as one big portal or separately Many implementations erpscan.com ERPScan — invest in security to secure investments 3

  4. PeopleSoft Internet Architecture Many applications, but they have one architecture PeopleSoft Internet Architecture Internet oriented since version 8 Based on several special core technologies erpscan.com ERPScan — invest in security to secure investments 4

  5. PeopleSoft Internet Architecture PeopleTools: Technology Developer tools Framework PeopleCode All of the applications are created usingPeopleTools. erpscan.com ERPScan — invest in security to secure investments 5

  6. PeopleSoft Internet Architecture erpscan.com ERPScan — invest in security to secure investments 6

  7. PeopleSoft Internet Architecture Web server WebLogic /WebSphere PS Servlets Forwards request from a browser to an App Server Application server PS Services +Tuxedo + Jolt Business logic, SQL transaction management, Transport Database server SystemTables, PeopleToolsmetadata, PeopleSoftapplicationdata erpscan.com ERPScan — invest in security to secure investments 7

  8. PeopleSoft Internet Architecture Another view: erpscan.com ERPScan — invest in security to secure investments 8

  9. PeopleSoft Internet Architecture Users (web browser) – All common web technologies – A single escalation point for common and administrative goals Developers (PeopleTools) – 2-Tier – direct connection to DBMS – 3-Tier – connection throughApplication Server. Special portsWSH, WSL. Essentially, basic SQL requests which are forwarded to DBMS by Application Server External systems – Different web services (SOAP, XML) for a cross-system integration erpscan.com ERPScan — invest in security to secure investments 9

  10. PeopleSoft Internet Architecture erpscan.com ERPScan — invest in security to secure investments 10

  11. PeopleSoft Internet Architecture Authentication process and terms: User logs in with theirUserID and password. ApplicationServerusesConnect ID to connect to DBMS. This account has limited rights in DBMS. It is used to retrieve the u=UserIDand password, which are then compared to the user’s input If successful, the system takes Symbolic ID (associated with) User ID. The system usesSymbolic ID to find in PSACCESSPRFL the necessaryAccessIDand the password. This account is privileged. The system reconnects to DBMS usingAccess ID. * Passwords are encrypted. erpscan.com ERPScan — invest in security to secure investments 11

  12. PeopleSoft Vulns Some vulns every year, some talks about, but no info for pentesting… erpscan.com ERPScan — invest in security to secure investments 12

  13. Google Dorks filetype:GBLpeoplesoft peoplesoftinurl:cmd=login intitle:"PeopleSoft Enterprise Sign-in" intitle:"WebLogic Server" intitle:"Console Login" inurl:console "Welcome to Weblogic Application Server" PeopleSoft erpscan.com ERPScan — invest in security to secure investments 13

  14. Google Dorks erpscan.com ERPScan — invest in security to secure investments 14

  15. Detect PS canbe“hidden” very well and look totally unlike itself Filetype: GBL A lot of JavaScripts with version information Cookie with PORTAL-PSJSESSIONID Cookie PSTOKEN Cookie PSLOGINLIST erpscan.com ERPScan — invest in security to secure investments 15

  16. Ports erpscan.com ERPScan — invest in security to secure investments 16

  17. Default ports 80, 443 – bothports – WebLogic / PeopleSoft 3050 – Tuxedo (notusedinPS) 7000 – WSL – distributesconnectionsonWSH 7001-7005 – WSH –a portontheapplication server fordevelopers(3-tier) 7180, 7143 – PS REN server (Real-timeEventNotification) 9000 – JSL –distributesconnectionson JSH (jolt) 9001-9005 – aportontheapplication server forJoltconnectionsfromthewebserver 9500 – PS Debugging port – a portontheapplication server (non default) 9100 – Jolt relay (non default) erpscan.com ERPScan — invest in security to secure investments 17

  18. Default inputs A lot of input spots. Scan them! erpscan.com ERPScan — invest in security to secure investments 18

  19. Default accounts Some of them: people:peop1e – DB PS:PS – super PS user (also VP1:VP1) “password” for many web services “dayoff” for a Portal servlet Ex: psp/[site]/?cmd=viewconfig&pwd=dayoff – to see configs Different way: non-standard Weblogic accounts: system: Passw0rd (password) – main administrator operator: password – operator role monitor: password – monitor role * The password of“system” is often changed to that of“PS” erpscan.com ERPScan — invest in security to secure investments 19

  20. WebLogic WebLogic admin “/console” On the same port with PeopleSoft application by default Anyone can try to access the inside with default accounts erpscan.com ERPScan — invest in security to secure investments 20

  21. Default inf disclosure Some of them: erpscan.com ERPScan — invest in security to secure investments 21

  22. Another classic attack Most administrative tasks are fulfilled by administrators through the portal. XSS is a beautiful attack! Ex. 1 (until PT 8.51). PSOL Full Text Search: XSS in every entry field erpscan.com ERPScan — invest in security to secure investments 22

  23. Another classic attack Ex. 2 (PT 8.53):CVE-2013-3818Patched in CPU 16 July 2013 (cpujul2013) http://172.16.0.79/CfgOCIReturn.html?&debug=true&domain=aaa%27%3Cimg%20src%3D%22zz%22%20onerror%3Dalert%28%22XSS%22%29%3E erpscan.com ERPScan — invest in security to secure investments 23

  24. Strange UDDI explorer One of input spots: We can scan internal network via SSRF (time-based) We can steal the password of administrator * But who uses this strange thing? erpscan.com ERPScan — invest in security to secure investments 24

  25. DEMO ERPScan — invest in security to secure investments

  26. PeopleSoft DoS • old research • buffer overflow in login process!!! • we can control the return address • but stack cookie… so only DoS * Do you think it is secure Java? No, there are too many crashes  erpscan.com ERPScan — invest in security to secure investments 26

  27. True DoS One of input points is Business Interlink No authentication Simple request PeopleSoft сrashes (Java, to be precise ;)) erpscan.com ERPScan — invest in security to secure investments 27

  28. DEMO ERPScan — invest in security to secure investments

  29. XXEs Some of input points: PSIGW/*, Business Interlink, SyncServ !!!No authentication !!! Common XXE injection impact: We can read plain text files (not all) SSRF SSRF+gopher (if JDK <= 1.6) SSRF+grab NTLM hashes/SMBRelay(if JDK <= 1.6 and OS = Windows) Classic entities DoS? + we can list directories and read XML files! (no binary) CVE-2013-3800, CVE-2013-3819, CVE-2013-3821Patched in CPU on the 16th July 2013 (cpujul2013) erpscan.com ERPScan — invest in security to secure investments 29

  30. Encryption Encryption of password in config files: Some passwords of PeopleSoft are stored in plaintext Some – DES Some – 3DES Some – AES (Weblogic) DES The key for DES is hardcoded Wasusedforencryptionintheoldersystems Hasno ID atthebeginning (suchas“{V1.1}”) erpscan.com ERPScan — invest in security to secure investments 30

  31. Encryption 3DES The key for 3DES is standard by default. You can check it. The string “{V1.1}” before an encrypted password shows the key is default. After each key regeneration, the number is changed (1.2, 1.3…). Do you regenerate it? AES If you want to decrypt with AES, you need SerializedSystemIni.dat. You can understand that it is AES by the “{AES}” string in the beginning of an encrypted password. erpscan.com ERPScan — invest in security to secure investments 31

  32. Whatever do we read? Configuration files that can store plaintext passwords: hcmss.dms, create_accessid.sql , connect_2005.sql, psprcs.cfg, hcengl.log, dbsetup.xml, psappsrv.cfg, resetpswd.dms, hcora.dms, connect.sql, pswinclt.cfg * They mostly belong toConnection ID. But there are somePS too. Configuration files that can store encrypted passwords (DES, 3DES, AES): configuration.properties, gatewayUserProfile.xml, integrationGateway.properties, config.xml, security.xml, DefaultAuthenticatorInit.ldif, boot.properties, nm_password.properties * They mostly belong toweb service. But they can fit forPStoo. erpscan.com ERPScan — invest in security to secure investments 32

  33. Whatever do we read? Issues Not all of the listed files can be read by reading data from the web server Passwords from WebLogic accounts are AES-encrypted, the key is in the binary file If the administrator re-generated keys to 3DES ({V1.2},{V1.3 …), the key is also in a binary file which cannot be read through XXE Theoretically, the private SSL key can be read and used for MitM attacks, but it has to be stored in plain-text. By default, it is stored inJava storage (binary) erpscan.com ERPScan — invest in security to secure investments 33

  34. Attack! ReadConnection ID and attack through the database. It is possible to download user hashes and bruteforce them, for example. From the multitude of configuration files, we can retrieve various accounts (in the case ofv. 1.1 or an old PT version with DES) and use it to find the password for the PS acount in Portal. We can read the filenm_password.properties ofWebLogic, which stores the hash of thenode manager password (similar to the password of the user “system” in WebLogic by default). erpscan.com ERPScan — invest in security to secure investments 34

  35. DEMO ERPScan — invest in security to secure investments

  36. Greetz to our crew who helped

More Related