Alexey Tyurin - HR Hacking — bugs in PeopleSoft

Invest in security
to secure investments

HR Hacking – bugs in PeopleSoft
Alexey Tyurin
Director of consulting department in ERPScan

Alexey Tyurin

• Director of consulting in ERPScan
• XML/WEB/Win/Network security fun
• Hacked a lot of online banking systems

• Co-Organizer of Defcon Russia Group
• Editor of “EasyHack” column for the “Xakep” magazine

@antyurin

erpscan.com

ERPScan — invest in security to secure investments

2

What is it?
•
•
•

Oracle PeopleSoft Apps: HRMS, FMS, SCM, CRM, EPM
Can work as one big portal or separately
Many implementations

erpscan.com


3

PeopleSoft Internet Architecture
•
•

Many applications, but they have one architecture
–

•

Internet oriented since version 8

Based on several special core technologies

erpscan.com


4

PeopleTools:
• Technology
• Developer tools
• Framework
• PeopleCode
All of the applications are created using PeopleTools.

erpscan.com


5


erpscan.com


6

•

Web server
WebLogic /WebSphere
PS Servlets
Forwards request from a browser to an App Server

•

Application server

– PS Services + Tuxedo + Jolt
– Business logic, SQL transaction management, Transport

•

Database server

– System Tables, PeopleTools metadata , PeopleSoft application data

erpscan.com


7


Another view:

erpscan.com


8

•

Users (web browser)
– All common web technologies
– A single escalation point for common and administrative goals

•

Developers (PeopleTools)
– 2-Tier – direct connection to DBMS
– 3-Tier – connection through Application Server. Special ports WSH, WSL.
Essentially, basic SQL requests which are forwarded to DBMS by
Application Server

•

External systems
– Different web services (SOAP, XML) for a cross-system integration

erpscan.com


9


erpscan.com


10

Authentication process and terms:
•
User logs in with their User ID and password.
•
Application Server uses Connect ID to connect to DBMS.
–

•
•
•
*

This account has limited rights in DBMS. It is used to retrieve the
u=User ID and password, which are then compared to the user’s input

If successful, the system takes Symbolic ID (associated with)
User ID.
The system uses Symbolic ID to find in PSACCESSPRFL the
necessary Access ID and the password. This account is
privileged.
The system reconnects to DBMS using Access ID.
Passwords are encrypted.

erpscan.com


11

PeopleSoft Vulns
Some vulns every year, some talks about,
but no info for pentesting…

erpscan.com


12

Google Dorks
• filetype:GBL peoplesoft
• peoplesoft inurl:cmd=login

• intitle:"PeopleSoft Enterprise Sign-in"
• intitle:"WebLogic Server" intitle:"Console Login" inurl:console

• "Welcome to Weblogic Application Server" PeopleSoft

erpscan.com


13

Google Dorks

erpscan.com


14

Detect
•

PS can be “hidden” very well and look totally unlike itself

– Filetype: GBL
– A lot of JavaScripts with version information
– Cookie with PORTAL-PSJSESSIONID
– Cookie PSTOKEN
– Cookie PSLOGINLIST

erpscan.com


15

Ports

erpscan.com


16

Default ports
•
•
•
•
•
•
•

•
•

80, 443 – both ports – WebLogic / PeopleSoft
3050 – Tuxedo (not used in PS)
7000 – WSL – distributes connections on WSH
7001-7005 – WSH – a port on the application server for
developers (3-tier)
7180, 7143 – PS REN server (Real-time EventNotification)
9000 – JSL – distributes connections on JSH (jolt)
9001-9005 – a port on the application server for Jolt
connections from the web server
9500 – PS Debugging port – a port on the application server
(non default)
9100 – Jolt relay (non default)

erpscan.com


17

Default inputs
• A lot of input spots. Scan them!

erpscan.com


18

Default accounts
Some of them:
•
people:peop1e – DB
•
PS:PS – super PS user (also VP1:VP1)
•
“password” for many web services
•
“dayoff” for a Portal servlet
Ex: psp/[site]/?cmd=viewconfig&pwd=dayoff – to see configs

Different way: non-standard Weblogic accounts:
•
system: Passw0rd (password) – main administrator
•
operator: password – operator role
•
monitor: password – monitor role
* The password of “system” is often changed to that of “PS”
erpscan.com


19

WebLogic

•
•
•

WebLogic admin “/console”
On the same port with PeopleSoft application by default
Anyone can try to access the inside with default accounts

erpscan.com


20

Default inf disclosure
• Some of them:

erpscan.com


21

Another classic attack
• Most administrative tasks are fulfilled by administrators through
the portal. XSS is a beautiful attack!
• Ex. 1 (until PT 8.51).
PSOL Full Text Search: XSS in every entry field

erpscan.com


22

Another classic attack
• Ex. 2 (PT 8.53): CVE-2013-3818
Patched in CPU 16 July 2013 (cpujul2013)
http://172.16.0.79/CfgOCIReturn.html?&debug=true&domain=aaa
%27%3Cimg%20src%3D%22zz%22%20onerror%3Dalert%28%22XS
S%22%29%3E

erpscan.com


23

Strange UDDI explorer
One of input spots:
• We can scan internal network via SSRF (time-based)
• We can steal the password of administrator
* But who uses this strange thing?

erpscan.com


24

DEMO

erpscan.com


25

PeopleSoft DoS
•
•
•
•

old research
buffer overflow in login process!!!
we can control the return address
but stack cookie… so only DoS

* Do you think it is secure Java? No, there are too many crashes 
erpscan.com


26

True DoS
• One of input points is Business Interlink
• No authentication
• Simple request
• PeopleSoft сrashes (Java, to be precise ;))

erpscan.com


27

DEMO

erpscan.com


28

XXEs
• Some of input points: PSIGW/*, Business Interlink, SyncServ
• !!!No authentication !!!
• Common XXE injection impact:
– We can read plain text files (not all)
– SSRF
– SSRF+gopher (if JDK <= 1.6)
– SSRF+grab NTLM hashes/SMBRelay (if JDK <= 1.6 and OS = Windows)
– Classic entities DoS?
+ we can list directories and read XML files! (no binary)

CVE-2013-3800, CVE-2013-3819, CVE-2013-3821
Patched in CPU on the 16th July 2013 (cpujul2013)

erpscan.com


29

Encryption
Encryption of password in config files:
•
Some passwords of PeopleSoft are stored in plaintext
•
Some – DES
•
Some – 3DES
•
Some – AES (Weblogic)

DES
•
The key for DES is hardcoded
•
Was used for encryption in the older systems
•
Has no ID at the beginning (such as “{V1.1}”)

erpscan.com


30

Encryption
3DES
•
The key for 3DES is standard by default.
•
You can check it. The string “{V1.1}” before an encrypted
password shows the key is default.
•
After each key regeneration, the number is changed
(1.2, 1.3…).
•
Do you regenerate it?
AES
•
If you want to decrypt with AES, you need
SerializedSystemIni.dat.
•
You can understand that it is AES by the “{AES}” string in the
beginning of an encrypted password.

erpscan.com


31

Whatever do we read?
• Configuration files that can store plaintext passwords:

hcmss.dms, create_accessid.sql
, connect_2005.sql, psprcs.cfg, hcengl.log, dbsetup.xm
l, psappsrv.cfg, resetpswd.dms, hcora.dms, connect.sql
, pswinclt.cfg

* They mostly belong to Connection ID. But there are some PS too.

• Configuration files that can store encrypted passwords
(DES, 3DES, AES):

configuration.properties, gatewayUserProfile.xml, inte
grationGateway.properties, config.xml, security.xml, D
efaultAuthenticatorInit.ldif, boot.properties, nm_pass
word.properties
* They mostly belong to web service. But they can fit forPS too.
erpscan.com


32

Whatever do we read? Issues
• Not all of the listed files can be read by reading data from the
web server
• Passwords from WebLogic accounts are AES-encrypted, the key
is in the binary file
• If the administrator re-generated keys to 3DES ({V1.2},{V1.3
…), the key is also in a binary file which cannot be read through
XXE
• Theoretically, the private SSL key can be read and used for
MitM attacks, but it has to be stored in plain-text. By default, it
is stored in Java storage (binary)

erpscan.com


33

Attack!
1) Read Connection ID and attack through the database. It is
possible to download user hashes and bruteforce them, for
example.
2) From the multitude of configuration files, we can retrieve
various accounts (in the case of v. 1.1 or an old PT version with
DES) and use it to find the password for the PS acount in Portal.
3) We can read the file nm_password.properties of
WebLogic, which stores the hash of the node manager
password (similar to the password of the user “system” in
WebLogic by default).

erpscan.com


34

DEMO

erpscan.com


35

Alexey Tyurin - HR Hacking — bugs in PeopleSoft

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Alexey Tyurin - HR Hacking — bugs in PeopleSoft

Semelhante a Alexey Tyurin - HR Hacking — bugs in PeopleSoft (20)

Mais de DefconRussia

Mais de DefconRussia (20)

Último

Último (20)

Alexey Tyurin - HR Hacking — bugs in PeopleSoft