unbreakable oracle er_ps_siebel_jd_edwards

Unbreakable Oracle ERPs ?

Attacks on Siebel & JD Edwards

Juan Perez-Etchegoyen - [email protected]

Jordan Santarsieri - [email protected]

October 26th, 2012

AppsecUSA 2012

2

www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved

Disclaimer

This publication is copyright 2012 Onapsis, Inc. – All rights reserved.

This publication contains references to the products of Oracle and services mentioned herein are

trademarks or registered trademarks of Oracle in all countries all over the world.

Oracle Corporation is neither the author nor the publisher of this publication and is not responsible for

its content, and Oracle Corporation shall not be liable for errors or omissions with respect to the

materials.

3


Attacks to SAP Web Applications

Agenda

Introduction

What is Siebel?

Attacks on Siebel

What is JD-Edwards?

Attacks on JDE

Conclusions

Cyber-Attacks to SAP Systems

4



Introduction

5



Who is Onapsis, Inc.? Company focused in the security of ERP systems and business-critical

infrastructure (SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …).

Working with Global Fortune-100 and large governmental organizations.

What does Onapsis do?

Innovative ERP security software (Onapsis X1, Onapsis Bizploit, Onapsis IPS).

ERP security consulting services.

Trainings on business-critical infrastructure security.

Who we are? Juan, CTO at Onapsis.

Jordan, Senior ERP Security Researcher

Discovered several vulnerabilities in SAP, Microsoft, IBM, Oracle...

Speakers/Trainers at BlackHat, HITB, DeepSec, Source, Ekoparty, 8dot8...

Authors of the “SAP Security In-Depth” publication.

Cyber-attacks on SAP systems

6


Attacks to SAP Web Applications Cyber-attacks on SAP systems

A Business-Critical Infrastructure

● ERP systems store and process the most critical business

information in the Organization.

● If the ERP platform is breached, an intruder would be able to

perform different attacks such as:

ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc.

SABOTAGE: Paralyze the operation of the organization by shutting down the ERP system, disrupting interfaces with other systems and deleting critical information, etc.

FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.

7



What

Is Siebel?

8



What is Siebel ?

● Siebel is a CRM system (Customer Relationship Management). The

main goal for this type of systems is to keep a record and register the

interaction (whether it’s direct or indirect) of all the clients with the

company.

● It was originally developed and owned by the “Siebel Systems”

company, but it was purchased by Oracle on September 2005 by

approximately $5.8 Billion.

● Due to the type of information that is stored on the Siebel systems,

these systems are also considered “mission-critical systems” within big

companies.

● It is used by some of the largest organizations in the world as currently

it is considered one of the most popular and mature CRM in the market.

9



What is Siebel ?

In a typical scenario, the Siebel application will hold data related to:

● Credit Card information

● Billing Information (Name, address, level of income)

● Family Tree (Names of your father, mother, wife, etc)

● Your habits as a consumer (Do you spend more money on Christmas?

Holidays? Which brands do you prefer?)

This kind of information highly valuable, not only for the

company, but also for a potential attacker or competitor.

10



Attacks on

SIEBEL

11



Discovering Siebel Servers Online

● Lots of Siebel servers are connected to the Internet, some of them

will allow you to register in the system with no requirements.

● Attackers know how to find them using regular search engines, so

the tools to do it are out there!

12



Siebel Anonymous User

● The anonymous user is required even if the applications do not allow

access by unregistered users. When Siebel starts up, it uses the

anonymous user account to connect to the user “datasource” and

retrieve information (such as a license key) before presenting the login

page.

● If it is deleted, no one will be able to access Siebel

● At the installation time, you have to choose an already created user

that is going to be the anonymous user

13



Demo: Anonymous user bypass

14



Bypassing the Siebel login

● By definition, the anonymous user must have be a low-privileged

user, but … many Siebel administrators and developers configure a

high-privileged user in order to avoid configuration issues.

● As a result of this mis-configuration, the login screen can be

bypassed and an attacker might be able to take complete control of

the Siebel server remotely

●This would lead to a full compromise of the CRM and the

information stored and processed on the system.

15



Bypassing the Siebel login

● By definition, the anonymous user must have a low level of

privileges, but … a lot of Siebel administrators and developers give out

a high level of privileges to this user in order to avoid configuration issues

● As a result of this misconfiguration, the login screen can be bypassed

and an attacker might be able to take complete control of the Siebel

server remotely

●This would lead to a full compromise of the CRM and the

information stored and processed on the system.

Protection / Countermeasure

In the Siebel configuration file, set the “anonymous user” property to a low-

privileged user.

16



Siebel Access Control

● Siebel has two different access control methods.

● Access restriction at view level (Limit who can access the views)

● Access restriction at business component level (Limit who can

access the data)

● All those mechanism prevents unauthorized access to restricted data

that only should be available to a set of users.

17



Siebel Query Language

● Siebel Query Language is an expression language that is used in

many locations in Siebel

● The ability to execute a query with Siebel Query Language is not

restricted by any kind of authorization check. If the functionality is

present in the applet, the user can use it (privilege independent)

● It was originally created to filter data in an applet

18



Demo: Siebel Query Language

Injection

19




● Using a Siebel Query expression, a remote and authenticated attacker

will be able to bypass both authorization mechanism and retrieve all

the data from the database that is mapped in a business component

field (Except calculated fields)

● The exploitation procedure is very similar to exploit a blind SQL

injection, with a strong manual component.

20




● Using a Siebel Query expression, a remote and authenticated attacker

will be able to bypass both authorization mechanism and retrieve all

the data from the database that is mapped in a business component

field (Except calculated fields)

● The exploitation procedure is very similar to exploit a blind SQL

injection, with a strong manual component.


Using eScript, catch the pre-query or Invoke query methods applying a custom

filter which should prevent the use of dangerous functions.

21



What is

JD Edwards?

22



What is JD Edwards ?

“Oracle's JD Edwards EnterpriseOne is an integrated applications suite

of comprehensive enterprise resource planning software that

combines business value, standards-based technology, and deep

industry experience into a business solution with a low total cost of

ownership. EnterpriseOne is the first ERP solution to run all applications

on Apple iPad. JD Edwards EnterpriseOne also delivers mobile

applications.” http://bit.ly/TBRBfD

● ERP Software widely used in specific industries (like real state).

● The current products supported by oracle are JDE EnterpriseOne and

JDE World.

● Oracle will continue developing and supporting these products for

unlimited time.

23



JD Edwards Infrastructure

JD Edwards infrastructure is based on a layered stack

●The communication is based on protocols like HTTP,

ODBC and JDENET.

● The communication to the database is provided by an

abstraction called JDEBase.

● JDENET is used to communicate to the Enterprise

Server. http://bitly.com/QB12xx

24



JDE Enterprise Server

● It’s the most important server within the whole infrastructure, as it’s the

component in charge of the execution of the Business Processes taking

place in the Company and covered by the ERP.

● Exposes the JDENET service which

is used to receive messages.

● Its configuration is driven by a text

file (JDE.ini).

● The services architecture is based on

kernel processes, where each kernel

process is a dll with the ability to

process different type of messages.

25



JDE Kernels

● Kernels are defined at JDE.INI and each kernel processes a range of

messages (Files MsgType.h & JDENET.H).

● For each Kernel (DLL), there is a function defined that will be called for

each message in the kernel range.

● Critical Kernels:

● Security Kernel

● System Adm. Kernel

● JDBNet Kernel

● (actually all of them are!)

● Each kernel process

provides a very specific set

of functionalities

26



JDENET

● Application-Level Network protocol used to communicate with the JD

Edwards Enterprise Server.

● Configured by default at TCP port 6015 to receive messages

● Also available at UDP 6015 to receive “commands”

The protocol is message-based, meaning that

you send messages (of a specific TYPE) and

each message contains different “packets” :

●nNoPacket

●nDataPacket

●nFilePacket

●nUnicodePacket

●nShortArrayPacket

● nIntArrayPacket

27



Attacks on JDE

28



Default Users

When JD Edwards systems are installed, several standard users are

configured in the database with default passwords (password=username):

JDE CRPCTL CRPDTA TESTCTL TESTDTA PRDCTL

PRDDTA PS900CTL PS900DTA DD900 OL900 DV900 PD900

PY900 JDEDBA APPLEAD SVM900 SY900 …

Depending on the user, it is possible to access ALL

information stored in the database.

29



Default Users

JD Edwards systems, when installed, several standard users are configured

in the database with default passwords (password=username):

JDE CRPCTL CRPDTA TESTCTL TESTDTA PRDCTL

PRDDTA PS900CTL PS900DTA DD900 OL900 DV900 PD900

PY900 JDEDBA APPLEAD SVM900 SY900 …

Depending on the user, it is possible to access ALL

information stored in the database.


Change default passwords for ALL standard users.

Additionally, avoid setting weak passwords for the database users, even though

these users are used directly or as proxy users.

30



Control Commands

● Commands can be sent via UDP to port 6015. Some of the accepted

commands are:

SHOWCONN TOGGLE_LOG CONNECT_FROM

CONNECT_TO CONNECT_REJECT GET_WRKMGT

VIEW_KERNEL_TRACE SHUTDOWN USRBROADCAST

…

Wait a minute… did you say SHUTDOWN ???

31



Demo: Control Commands

32



Control Commands

● This attack can take place if a remote unauthenticated attacker is able to

reach the UDP 6015 port.

● A tiny packet containing the ASCII string “SHUTDOWN” can be created

and sent by UDP to the aforementioned port.

● The packet is received by the JDENET_n process and according its

programming, it will trigger the shutdown of itself along with all kernel

processes.

●Resulting of sending the packet, the whole JDE Enterprise Server will

shut-down breaking any interface and business process active. The

financial losses of such attack can be huge.

33



Control Commands

● This attack can take place if a remote unauthenticated attacker is able to

reach the UDP 6015 port.

● A tiny packet containing the ASCII string “SHUTDOWN” can be created

and sent by UDP to the aforementioned port.

● The packet is received by the JDENET_n process and according its

programming, it will trigger the shutdown of itself along with all kernel

processes.

●Resulting of sending the packet, the whole JDE Enterprise Server will

shut-down breaking any interface and business process active. The

financial losses of such attack can be enormous.


Apply the latest Oracle Critical Patch Update, as the fix for this attack was

released by oracle in a scheduled CPU.

34



Sensitive Information Retrieval

● Several message types allows a potential remote unauthenticated user to

retrieve information that could be used to compromise the system.

●An example of such attack is the possibility to remotely retrieve information

from the JDE.INI file. Which holds configuration information, but also

sensitive information in clear-text, like:

● Kernel types and configuration.

● Security Server configuration.

● SSO Node information.

● Database information.

●……

35



Demo: Sensitive Information

Retrieval

36




● A remote unauthenticated user that is able to reach the JDENET service

will be able to retrieve Credentials to connect to the database.

● The credentials are stored in a clear-text format, so there is no brute-force

or decryption process required.

● The attacker can then connect to the ERP system productive database

using the retrieved credentials.

● Once connected he will be able to access any business-related or

technical table. Specifically, he would be able to access the F98OWSEC

table, holding the users passwords.

Do you know which hashing mechanism is used to store these passwords?

None. User passwords are “encrypted” using XOR

37




● A remote unauthenticated user that is able to reach the JDENET service

will be able to retrieve Credentials to connect to the database.

● The credentials are stored in a clear-text format, so there is no brute-force

or decryption process required.

● The attacker can then connect to the ERP system productive database

using the retrieved credentials.

● Once connected he will be able to access any business-related or

technical table. Specifically, he would be able to access the F98OWSEC

table, holding the users passwords.

Do you know which hashing mechanism is used to store these passwords?

None. User passwords are “encrypted” using a XOR


Apply the latest Oracle Critical Patch Update, as the fix for this attack was

released by oracle in a scheduled CPU.

38



The tip of the iceberg…

Onapsis is a pioneer company in analyzing the technical security of ERP

systems like SAP. To get insights of the security of other ERPs, we did a

deep research on JD Edwards, resulting in :

● Detected over 20 vulnerabilities, most of them critical.

● Oracle spent almost 2 years to fix them.

● Most of the vulnerabilities can be exploited by remote,

unauthenticated attackers.

● Several vulnerabilities were caused by design flaws.

●The last vulnerability being fixed will be released in the next CPU.

39



The tip of the iceberg…

The following security advisories are a sample of the ones that have

already been released by Onapsis:

● ONAPSIS-2012-007: SawKernel SET_INI Configuration Modification

● ONAPSIS-2012-006: JDENET Large Packets Denial of Service

● ONAPSIS-2012-004: SawKernel GET_INI Information Disclosure

● ONAPSIS-2012-003: SawKernel Arbitrary File Read

● ONAPSIS-2012-002: Security Kernel Remote Password Disclosure

● ONAPSIS-2012-001: JDENET Arbitrary File Write

● ONAPSIS-2011-012: JDENET Firewall Bypass

● ONAPSIS-2011-011: JDENET Buffer Overflow

● ONAPSIS-2011-010: JDENET Logging Deactivation

● ONAPSIS-2011-009: JDENET SawKernel Remote Password Disclosure

● ONAPSIS-2011-008: JDENET CallObjectKernel Remote Command Exec

● ONAPSIS-2011-007: JDENET Kernel Shutdown Denial of Service

Download them at www.onapsis.com!

http://www.onapsis.com/

40



Conclusions

41



Conclusions ● ERP Systems are among the most critical systems in the organization

and that makes them a really interesting target to the attackers.

● Segregation of Duties controls are necessary, but not enough!. It’s

important to protect the systems not only from the authorizations (roles

and profiles) perspective but also at the technical level.

● Attacks on vulnerabilities at the technical level are even more critical

than SoD violations, as no user is required and a full compromise of all

the information can be achieved.

● While SAP has been in the spotlight the last years, Oracle ERP

systems are also prone to highly critical vulnerabilities.

● We’ll release new modules to be used with bizploit framework soon!.

Also stay tuned for some PeopleSoft news to come.

42



Questions? [email protected]

[email protected]

@jp_pereze

@jsansec

mailto:[email protected]

mailto:[email protected]

43



Thank you!

www.onapsis.com

Follow us! @onapsis

unbreakable oracle er_ps_siebel_jd_edwards

Documents

sap systems

rights reserved attacks

onapsis bizploit

onapsis ips

different attacks

security of erp systems

siebel systems company

rights reserved disclaimer