SlideShare uma empresa Scribd logo

PeopleSoft: HACK THE Planet^W university

Transferir como PPTX, PDF
Dmitry Iudin
Dmitry Iudin

This document summarizes security vulnerabilities in PeopleSoft systems. It describes how an attacker could potentially gain remote code execution on the PeopleSoft web server and application server. It then explains how the attacker could use this access to decrypt database credentials and escalate their privileges to compromise sensitive user data and business systems. The document provides details on specific bugs like buffer overflows and hardcoded credentials that could be exploited at different points in this attack chain. It aims to demonstrate a potential "hardcore" attack scenario and the risks of unpatched PeopleSoft instances.

Internet
1 de 73
PeopleSoft: HACK THE Planet^W universityby Dmitry Iudin, Security Researcher at ERPScan
Security Researcher Dmitry Yudin @ret5et
PeopleSoft Used by: Universities Government and its institutions Large enterprises, etc.
PeopleSoft Campus solutions Human Capital Management Financial Management Supplier Relationship Management …
Attack Targets  Personal information  SSN  Salary data  Payment information  Credit card data  Bank account data Bidding information - RFP - Prices
Attack Targets  Espionage  Theft of financial information  Corporate trade secret theft  Theft of supplier and customer lists  Stealing HR data (employee data theft)  Sabotage  Denial of service  Tampering with financial reports Fraud - False transactions - Modification of master data
PeopleSoft
A Bit of Theory
PeopleSoft Pure Internet Architecture
The Web Server
Web Server • Host PeopleSoft Servlets • Communicates with AppServer • Front end
PeopleSoft Application Server
DATABASE
Configuration and Deployment Options AppServer and database on same server
Configuration and Deployment Options
PeopleSoft Pure Internet Architecture  These 3 main components are common for all PeopleSoft applications.  All applications mainly differ only in business logic that exists in a database.  Pwning these components is equal to Pwning all application types.
Attack from Internet hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in internal network 1. Get RCE on Application Server On AppSvr side decrypt low level DB credentials. 1. Gain low level access to a database. Get and decrypt high-level DB credentials from the db. AccessID - «this account is the key to the kingdom» 1. Profit
Find PeopleSoft CS systems in WWW
Or other PeopleSoft Systems ...
Default PeopleSoft Servlets on WebServer  PORTAL.war - PeopleSoft Interaction Hub  PSEMHUB.war - Environment Management Framework  PSIGW.war - Integration gateway  PSINTERLINKS.war - Business Interlinks  PSPC.war - PeopleSoft PortletContainer Servlet.
Most Critical Known Bugs  CVE-2017-10061 - RCE (CVSS v3 score – 8.3)  CVE-2017-10366 – RCE (CVSS v3 score – 9.8)  Any SSRF + lack authentication from localhost in PeopleSoft Apache Axis component equal RCE  SSRF bugs: CVE-2013-3800, CVE-2013-3821, CVE-2017-3548,CVE- 2017-3547 ...
RCE on PeopleSoft WebServer is not a PROBLEM
RCE on PeopleSoft WebServer is not a PROBLEM
PSIGW.war  CVE-2017-10061  CVSS Severity (version 3.0): 8.3 High  CVSS Version 3 Metrics:  Attack Vector (AV): Network  Attack Complexity (AC): Low
DEMO
Find AppSvr in internal network $ pwd /home/psadm2/apps/PORTAL.war $ cat WEB-INF/psftdocs/ps/webprof/config_prop | grep -i appserver -A 1 <string>appServer</string> <string>192.168.56.101:9033</string>
 CVE-2017-10146 - Directory Traversal  Attack Vector (AV):  Network  Attack Complexity (AC):  Low  Privileges Required (PR):  None Find AppSvr in internal network
Find AppSvr in internal network
Remote attack: hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in internal network 1. Get RCE on Application Server On AppSvr side decrypt low level DB credentials 1. Gain low level access to a database. Get and decrypt «AccessID» from db. AccessID - «this account is the key to the kingdom» 1. Profit
PeopleSoft AppServer
Some Theory
PeopleSoft AppServer An application server consists of numerous PeopleSoft services and server processes.
PeopleSoft AppServer processes  PSAPPSRV  PSQCKSRV  PSQRYSRV  PSSAMSRV  PSOPTENG  PSMSGDSP  PSMSGHND  PSPUBDSP  PSPUBHND  PSSUBDSP  PSSUBHND  WSL  WSH  JSL  JSH  RMI Services  etc.
PeopleSoft AppServer  Many processes = large attack surface  But … most of them are binary, native code applications.
PeopleSoft AppServer  After some research, we have found some interesting bugs. Now we are trying to write exploits for them.  But we don’t have RCE on AppServer yet.
PeopleSoft AppServer  After some research, we have found some interesting bugs and now we are trying to write exploits for them.  But we don’t have RCE on AppServer yet.
Remote attack hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in the internal network 2. Get RCE on Application Server On the AppSvr side decrypt low level DB credentials 1. Gain low level access to a database. Get and decrypt «AccessID» from the db. AccessID - «this account is the key to the kingdom» 1. Profit
BUT ...
AppServer RMI service We have PeopleSoft RMI service with hardcoded credentials...
AppServer RMI service Java Remote Method Invocation (Java RMI) is a Java API that performs remote method invocation, the object-oriented equivalent of remote procedure calls (the RPC), with the support for direct transfer of serialized Java classes and distributed garbage-collection.
PeopleSoft AppServer
AppServer RMI service By using this service, we can get: • AppSvr runtime info • AppSvr Network statistic • Java Memory pool info • CPU Load info • FileStore Information • ... • Access to AppServer logs
AppServer RMI service By using this service, we can get: • AppSvr runtime info • AppSvr Network statistic • Java Memory pool info • CPU Load info • FileStore Information • ... • Access to AppServer logs
AppServer RMI service In some cases, access to AppServer logs can lead to a leakage of an authentication token. For example, if debug logging is enabled on the server side.
AppServer RMI service DEMO
 RCE on PeopleSoft WebServer side  We can read TOKEN from AppServer log:  If debug mode is on  It seems that debug mode is not common for PeopleSoft production servers  If we are lucky enough, we can get access to some account tokens. What we have?
What we have? 1. Get RCE on Peoplesoft WebServer Recon Application Server in the internal network 1. Get RCE on Application Server On the AppSvr side decrypt low level DB credentials We got partial “access” to Application Server 1. Gain low-level access to a database. Get and decrypt «AccessID» from db. AccessID - «this account is the key to the kingdom»
What do we have here?
But we can exploit another bug...
DEMO
PeopleSoft Application Server buffer over-read We can disclose user passwords in plain text, remotely.
PeopleSoft Application Server buffer over-read
Attack Scenario  Get access to PeopleSoft web server  Recon AppServer  Passively dump credentials from AppServer  Collect user names and passwords.  Find accounts with high business roles in the system  …  Profit
What if we had RCE on the AppServer The main target of those pentesting AppServer is psappsvr.cfg But values in psappsvr.cfg are «encrypted».
psappsrv.cfg  UserPswd=sC33X45qyMXPEbKTYHrJ06Fd31PfKYBdSEgL5e0i1vE=  ConnectPswd=gizrWPhLwsI5KYakWwvJDLtoEGNNNG4lFfq8W5x/NpM=  DomainConnectionPwd=iSTwU6g03N1UlzIng6I+fsXdd6L02b3iQrAW5Ah ...
psappsrv.cfg „decryption“ $ ubbgen -decr iSTwU6g03N1UlzIng6I+fsXdd6L02b3iQrAW5AhSeOo= jahce6queiXeevoo1quo0nano #decrtypted password
ubbgen utility UBBGEN’s usage prompt doesn’t show “-decr” and “-encr” options, it seems that are «hidden».
ubbgen utility UBBGEN’s usage prompt doesn’t show “-decr” and “-encr” options, it seems that are «hidden».
psappsrv.cfg  DBName=...  DBType=...  UserId=PS - # default PeopleSoft admin  UserPswd=<encrypted password> # admin password  ConnectID=people # default connection id  ConnectPswd=<encrypted password>
PeopleSoft Administrator Role (PS user) This role does NOT have any access to critical business data.
ConnectID  Real Database ID  Required to establish the initial connection to the database  Used by AppServer for initial authentication with PeopleSoft database  Access to encrypted “AccessID”
PeopleSoft AppServer Sign In  Initial connection.  The application server uses the ConnectID and UserId specified in its configuration file (PSAPPSRV.CFG) to perform the initial connection to the database.  The server performs a SQL Select statement on the security tables.  Check UserID and UserPswd  The server reconnects using the AccessID.  The application server begins the persistent connection to the database that all users use to access the database.
Getting encrypted AccesID $ sqlplus «ConnecId»@«db ip address»:1522/«dbname»
$ select STM_ACCESS_PART1, STM_ACCESS_PART2, STM_ACCESS_ID, STM_ACCESS_PSWD from SYSADM.PSACCESSPROFILE; Getting encrypted AccesID
$ stmdecr <STM_ACCESS_PART1> <STM_ACCESS_PART2> <STM_ACCESS_ID> <STM_ACCESS_PSWD> Getting encrypted AccesID
stmdecr stmdecr will be published soon … :|
Conclusion • Implement latest CPUs • Perform external Security Audits
Read our blog erpscan.com/category/press-center/blog/ Join our webinars erpscan.com/category/press-center/events/ Subscribe to our newsletters eepurl.com/bef7h1 USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 Phone 650.798.5255 EMEA: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam Phone +31 20 8932892 erpscan.com inbox@erpscan.com Thank you Dmitry Yudin Security Researcher at ERPScan d.yudin@erpscan.com
PeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W university

Recomendados

A Top Down Business Impact Analyses Method V5
A Top Down Business Impact Analyses Method V5A Top Down Business Impact Analyses Method V5
A Top Down Business Impact Analyses Method V5Gewurtz
 
Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Bryghtpath LLC
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Security-by-Design and -Default
Security-by-Design and -Default Security-by-Design and -Default
Security-by-Design and -DefaultMehdi Mirakhorli
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations♟Sergej Epp
 
Business Continuity Plan Development
Business Continuity Plan DevelopmentBusiness Continuity Plan Development
Business Continuity Plan DevelopmentDavid Nichols
 
Risk Assessments and Reliability, What You Need To Know
Risk Assessments and Reliability, What You Need To KnowRisk Assessments and Reliability, What You Need To Know
Risk Assessments and Reliability, What You Need To KnowSteven Shapiro, PE, ATD
 
Site Reliability Engineering: An Enterprise Adoption Story (an ITSM Academy W...
Site Reliability Engineering: An Enterprise Adoption Story (an ITSM Academy W...Site Reliability Engineering: An Enterprise Adoption Story (an ITSM Academy W...
Site Reliability Engineering: An Enterprise Adoption Story (an ITSM Academy W...ITSM Academy, Inc.
 

Recomendados

A Top Down Business Impact Analyses Method V5
A Top Down Business Impact Analyses Method V5A Top Down Business Impact Analyses Method V5
A Top Down Business Impact Analyses Method V5Gewurtz
 
Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Bryghtpath LLC
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Security-by-Design and -Default
Security-by-Design and -Default Security-by-Design and -Default
Security-by-Design and -DefaultMehdi Mirakhorli
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations♟Sergej Epp
 
Business Continuity Plan Development
Business Continuity Plan DevelopmentBusiness Continuity Plan Development
Business Continuity Plan DevelopmentDavid Nichols
 
Risk Assessments and Reliability, What You Need To Know
Risk Assessments and Reliability, What You Need To KnowRisk Assessments and Reliability, What You Need To Know
Risk Assessments and Reliability, What You Need To KnowSteven Shapiro, PE, ATD
 
Site Reliability Engineering: An Enterprise Adoption Story (an ITSM Academy W...
Site Reliability Engineering: An Enterprise Adoption Story (an ITSM Academy W...Site Reliability Engineering: An Enterprise Adoption Story (an ITSM Academy W...
Site Reliability Engineering: An Enterprise Adoption Story (an ITSM Academy W...ITSM Academy, Inc.
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Chaos Engineering with Kubernetes
Chaos Engineering with KubernetesChaos Engineering with Kubernetes
Chaos Engineering with KubernetesArun Gupta
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Improving Performance of Micro-Frontend Applications through Error Monitoring
Improving Performance of Micro-Frontend Applications through Error MonitoringImproving Performance of Micro-Frontend Applications through Error Monitoring
Improving Performance of Micro-Frontend Applications through Error MonitoringScyllaDB
 
978285452340_11.pptx
978285452340_11.pptx978285452340_11.pptx
978285452340_11.pptxsahilgupta499
 
IT Disaster Recovery Readiness (Maturity Assessement)
IT Disaster Recovery Readiness (Maturity Assessement) IT Disaster Recovery Readiness (Maturity Assessement)
IT Disaster Recovery Readiness (Maturity Assessement) Bashar Alkhatib
 
BCM Presentation - March 2015
BCM Presentation - March 2015BCM Presentation - March 2015
BCM Presentation - March 2015Paul Marsden MCQI CQP, Dip. Mgmt
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to TenableBharat Jindal
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management Argyle Executive Forum
 
Enabling self-service automation with ServiceNow and Ansible Automation Platform
Enabling self-service automation with ServiceNow and Ansible Automation PlatformEnabling self-service automation with ServiceNow and Ansible Automation Platform
Enabling self-service automation with ServiceNow and Ansible Automation PlatformMichael Ford
 
Cloud native integration
Cloud native integrationCloud native integration
Cloud native integrationKim Clark
 
Information Technology Disaster Planning
Information Technology Disaster PlanningInformation Technology Disaster Planning
Information Technology Disaster Planningguest340570
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and managementShamsundar Machale (CISSP, CEH)
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Implementing Domain-Driven Design study group - ch. 5 entities
Implementing Domain-Driven Design study group - ch. 5 entitiesImplementing Domain-Driven Design study group - ch. 5 entities
Implementing Domain-Driven Design study group - ch. 5 entitiesHenry Tong
 
DevOps vs. Site Reliability Engineering (SRE) in Age of Kubernetes
DevOps vs. Site Reliability Engineering (SRE) in Age of KubernetesDevOps vs. Site Reliability Engineering (SRE) in Age of Kubernetes
DevOps vs. Site Reliability Engineering (SRE) in Age of KubernetesDevOps.com
 
An Introduction to Chaos Engineering
An Introduction to Chaos EngineeringAn Introduction to Chaos Engineering
An Introduction to Chaos EngineeringGremlin
 
Tide Brochure v1
Tide Brochure v1Tide Brochure v1
Tide Brochure v1Andy Childs
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomQConLondon2008
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 

Mais conteúdo relacionado

Mais procurados

New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Chaos Engineering with Kubernetes
Chaos Engineering with KubernetesChaos Engineering with Kubernetes
Chaos Engineering with KubernetesArun Gupta
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Improving Performance of Micro-Frontend Applications through Error Monitoring
Improving Performance of Micro-Frontend Applications through Error MonitoringImproving Performance of Micro-Frontend Applications through Error Monitoring
Improving Performance of Micro-Frontend Applications through Error MonitoringScyllaDB
 
978285452340_11.pptx
978285452340_11.pptx978285452340_11.pptx
978285452340_11.pptxsahilgupta499
 
IT Disaster Recovery Readiness (Maturity Assessement)
IT Disaster Recovery Readiness (Maturity Assessement) IT Disaster Recovery Readiness (Maturity Assessement)
IT Disaster Recovery Readiness (Maturity Assessement) Bashar Alkhatib
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to TenableBharat Jindal
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management Argyle Executive Forum
 
Enabling self-service automation with ServiceNow and Ansible Automation Platform
Enabling self-service automation with ServiceNow and Ansible Automation PlatformEnabling self-service automation with ServiceNow and Ansible Automation Platform
Enabling self-service automation with ServiceNow and Ansible Automation PlatformMichael Ford
 
Cloud native integration
Cloud native integrationCloud native integration
Cloud native integrationKim Clark
 
Information Technology Disaster Planning
Information Technology Disaster PlanningInformation Technology Disaster Planning
Information Technology Disaster Planningguest340570
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and managementShamsundar Machale (CISSP, CEH)
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Implementing Domain-Driven Design study group - ch. 5 entities
Implementing Domain-Driven Design study group - ch. 5 entitiesImplementing Domain-Driven Design study group - ch. 5 entities
Implementing Domain-Driven Design study group - ch. 5 entitiesHenry Tong
 
DevOps vs. Site Reliability Engineering (SRE) in Age of Kubernetes
DevOps vs. Site Reliability Engineering (SRE) in Age of KubernetesDevOps vs. Site Reliability Engineering (SRE) in Age of Kubernetes
DevOps vs. Site Reliability Engineering (SRE) in Age of KubernetesDevOps.com
 
An Introduction to Chaos Engineering
An Introduction to Chaos EngineeringAn Introduction to Chaos Engineering
An Introduction to Chaos EngineeringGremlin
 
Tide Brochure v1
Tide Brochure v1Tide Brochure v1
Tide Brochure v1Andy Childs
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 

Mais procurados (20)

New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of Security
 
Chaos Engineering with Kubernetes
Chaos Engineering with KubernetesChaos Engineering with Kubernetes
Chaos Engineering with Kubernetes
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Improving Performance of Micro-Frontend Applications through Error Monitoring
Improving Performance of Micro-Frontend Applications through Error MonitoringImproving Performance of Micro-Frontend Applications through Error Monitoring
Improving Performance of Micro-Frontend Applications through Error Monitoring
 
978285452340_11.pptx
978285452340_11.pptx978285452340_11.pptx
978285452340_11.pptx
 
IT Disaster Recovery Readiness (Maturity Assessement)
IT Disaster Recovery Readiness (Maturity Assessement) IT Disaster Recovery Readiness (Maturity Assessement)
IT Disaster Recovery Readiness (Maturity Assessement)
 
BCM Presentation - March 2015
BCM Presentation - March 2015BCM Presentation - March 2015
BCM Presentation - March 2015
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to Tenable
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
 
Enabling self-service automation with ServiceNow and Ansible Automation Platform
Enabling self-service automation with ServiceNow and Ansible Automation PlatformEnabling self-service automation with ServiceNow and Ansible Automation Platform
Enabling self-service automation with ServiceNow and Ansible Automation Platform
 
Cloud native integration
Cloud native integrationCloud native integration
Cloud native integration
 
Information Technology Disaster Planning
Information Technology Disaster PlanningInformation Technology Disaster Planning
Information Technology Disaster Planning
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and management
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Implementing Domain-Driven Design study group - ch. 5 entities
Implementing Domain-Driven Design study group - ch. 5 entitiesImplementing Domain-Driven Design study group - ch. 5 entities
Implementing Domain-Driven Design study group - ch. 5 entities
 
DevOps vs. Site Reliability Engineering (SRE) in Age of Kubernetes
DevOps vs. Site Reliability Engineering (SRE) in Age of KubernetesDevOps vs. Site Reliability Engineering (SRE) in Age of Kubernetes
DevOps vs. Site Reliability Engineering (SRE) in Age of Kubernetes
 
An Introduction to Chaos Engineering
An Introduction to Chaos EngineeringAn Introduction to Chaos Engineering
An Introduction to Chaos Engineering
 
Tide Brochure v1
Tide Brochure v1Tide Brochure v1
Tide Brochure v1
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 

Semelhante a PeopleSoft: HACK THE Planet^W university

Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomQConLondon2008
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
A great api is hard to find
A great api is hard to findA great api is hard to find
A great api is hard to findDan Diephouse
 
C# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access SecurityC# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access SecurityDarren Sim
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surfaceAvi Shulman
 
Top 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must HaveTop 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must HaveIndumathySK
 
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...confluent
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber SecurityCedar Consulting
 
Creating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew TurlandCreating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew TurlandMatthew Turland
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Designjonmccoy
 
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습Oracle Korea
 
CQRS and Event Sourcing
CQRS and Event Sourcing CQRS and Event Sourcing
CQRS and Event Sourcing Inho Kang
 
CredHub and Secure Credential Management
CredHub and Secure Credential ManagementCredHub and Secure Credential Management
CredHub and Secure Credential ManagementVMware Tanzu
 

Semelhante a PeopleSoft: HACK THE Planet^W university (20)

Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
A great api is hard to find
A great api is hard to findA great api is hard to find
A great api is hard to find
 
C# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access SecurityC# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access Security
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surface
 
Top 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must HaveTop 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must Have
 
Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2
 
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
 
Web Security
Web SecurityWeb Security
Web Security
 
website phishing by NR
website phishing by NRwebsite phishing by NR
website phishing by NR
 
Creating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew TurlandCreating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew Turland
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
 
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
 
CQRS and Event Sourcing
CQRS and Event Sourcing CQRS and Event Sourcing
CQRS and Event Sourcing
 
CredHub and Secure Credential Management
CredHub and Secure Credential ManagementCredHub and Secure Credential Management
CredHub and Secure Credential Management
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
My Saminar On Php
My Saminar On PhpMy Saminar On Php
My Saminar On Php
 

Último

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 

Último (20)

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 

PeopleSoft: HACK THE Planet^W university

  • 1. PeopleSoft: HACK THE Planet^W universityby Dmitry Iudin, Security Researcher at ERPScan
  • 3.
  • 4.
  • 5. PeopleSoft Used by: Universities Government and its institutions Large enterprises, etc.
  • 6. PeopleSoft Campus solutions Human Capital Management Financial Management Supplier Relationship Management …
  • 7. Attack Targets  Personal information  SSN  Salary data  Payment information  Credit card data  Bank account data Bidding information - RFP - Prices
  • 8. Attack Targets  Espionage  Theft of financial information  Corporate trade secret theft  Theft of supplier and customer lists  Stealing HR data (employee data theft)  Sabotage  Denial of service  Tampering with financial reports Fraud - False transactions - Modification of master data
  • 10. A Bit of Theory
  • 11. PeopleSoft Pure Internet Architecture
  • 13. Web Server • Host PeopleSoft Servlets • Communicates with AppServer • Front end
  • 16. Configuration and Deployment Options AppServer and database on same server
  • 18. PeopleSoft Pure Internet Architecture  These 3 main components are common for all PeopleSoft applications.  All applications mainly differ only in business logic that exists in a database.  Pwning these components is equal to Pwning all application types.
  • 19. Attack from Internet hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in internal network 1. Get RCE on Application Server On AppSvr side decrypt low level DB credentials. 1. Gain low level access to a database. Get and decrypt high-level DB credentials from the db. AccessID - «this account is the key to the kingdom» 1. Profit
  • 20. Find PeopleSoft CS systems in WWW
  • 21. Or other PeopleSoft Systems ...
  • 22. Default PeopleSoft Servlets on WebServer  PORTAL.war - PeopleSoft Interaction Hub  PSEMHUB.war - Environment Management Framework  PSIGW.war - Integration gateway  PSINTERLINKS.war - Business Interlinks  PSPC.war - PeopleSoft PortletContainer Servlet.
  • 23. Most Critical Known Bugs  CVE-2017-10061 - RCE (CVSS v3 score – 8.3)  CVE-2017-10366 – RCE (CVSS v3 score – 9.8)  Any SSRF + lack authentication from localhost in PeopleSoft Apache Axis component equal RCE  SSRF bugs: CVE-2013-3800, CVE-2013-3821, CVE-2017-3548,CVE- 2017-3547 ...
  • 24. RCE on PeopleSoft WebServer is not a PROBLEM
  • 25. RCE on PeopleSoft WebServer is not a PROBLEM
  • 26. PSIGW.war  CVE-2017-10061  CVSS Severity (version 3.0): 8.3 High  CVSS Version 3 Metrics:  Attack Vector (AV): Network  Attack Complexity (AC): Low
  • 27. DEMO
  • 28. Find AppSvr in internal network $ pwd /home/psadm2/apps/PORTAL.war $ cat WEB-INF/psftdocs/ps/webprof/config_prop | grep -i appserver -A 1 <string>appServer</string> <string>192.168.56.101:9033</string>
  • 29.  CVE-2017-10146 - Directory Traversal  Attack Vector (AV):  Network  Attack Complexity (AC):  Low  Privileges Required (PR):  None Find AppSvr in internal network
  • 30. Find AppSvr in internal network
  • 31. Remote attack: hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in internal network 1. Get RCE on Application Server On AppSvr side decrypt low level DB credentials 1. Gain low level access to a database. Get and decrypt «AccessID» from db. AccessID - «this account is the key to the kingdom» 1. Profit
  • 34. PeopleSoft AppServer An application server consists of numerous PeopleSoft services and server processes.
  • 35. PeopleSoft AppServer processes  PSAPPSRV  PSQCKSRV  PSQRYSRV  PSSAMSRV  PSOPTENG  PSMSGDSP  PSMSGHND  PSPUBDSP  PSPUBHND  PSSUBDSP  PSSUBHND  WSL  WSH  JSL  JSH  RMI Services  etc.
  • 36. PeopleSoft AppServer  Many processes = large attack surface  But … most of them are binary, native code applications.
  • 37. PeopleSoft AppServer  After some research, we have found some interesting bugs. Now we are trying to write exploits for them.  But we don’t have RCE on AppServer yet.
  • 38. PeopleSoft AppServer  After some research, we have found some interesting bugs and now we are trying to write exploits for them.  But we don’t have RCE on AppServer yet.
  • 39. Remote attack hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in the internal network 2. Get RCE on Application Server On the AppSvr side decrypt low level DB credentials 1. Gain low level access to a database. Get and decrypt «AccessID» from the db. AccessID - «this account is the key to the kingdom» 1. Profit
  • 40.
  • 42. AppServer RMI service We have PeopleSoft RMI service with hardcoded credentials...
  • 43. AppServer RMI service Java Remote Method Invocation (Java RMI) is a Java API that performs remote method invocation, the object-oriented equivalent of remote procedure calls (the RPC), with the support for direct transfer of serialized Java classes and distributed garbage-collection.
  • 45. AppServer RMI service By using this service, we can get: • AppSvr runtime info • AppSvr Network statistic • Java Memory pool info • CPU Load info • FileStore Information • ... • Access to AppServer logs
  • 46. AppServer RMI service By using this service, we can get: • AppSvr runtime info • AppSvr Network statistic • Java Memory pool info • CPU Load info • FileStore Information • ... • Access to AppServer logs
  • 47. AppServer RMI service In some cases, access to AppServer logs can lead to a leakage of an authentication token. For example, if debug logging is enabled on the server side.
  • 49.  RCE on PeopleSoft WebServer side  We can read TOKEN from AppServer log:  If debug mode is on  It seems that debug mode is not common for PeopleSoft production servers  If we are lucky enough, we can get access to some account tokens. What we have?
  • 50. What we have? 1. Get RCE on Peoplesoft WebServer Recon Application Server in the internal network 1. Get RCE on Application Server On the AppSvr side decrypt low level DB credentials We got partial “access” to Application Server 1. Gain low-level access to a database. Get and decrypt «AccessID» from db. AccessID - «this account is the key to the kingdom»
  • 51. What do we have here?
  • 52. But we can exploit another bug...
  • 53. DEMO
  • 54. PeopleSoft Application Server buffer over-read We can disclose user passwords in plain text, remotely.
  • 56. Attack Scenario  Get access to PeopleSoft web server  Recon AppServer  Passively dump credentials from AppServer  Collect user names and passwords.  Find accounts with high business roles in the system  …  Profit
  • 57. What if we had RCE on the AppServer The main target of those pentesting AppServer is psappsvr.cfg But values in psappsvr.cfg are «encrypted».
  • 59. psappsrv.cfg „decryption“ $ ubbgen -decr iSTwU6g03N1UlzIng6I+fsXdd6L02b3iQrAW5AhSeOo= jahce6queiXeevoo1quo0nano #decrtypted password
  • 60. ubbgen utility UBBGEN’s usage prompt doesn’t show “-decr” and “-encr” options, it seems that are «hidden».
  • 61. ubbgen utility UBBGEN’s usage prompt doesn’t show “-decr” and “-encr” options, it seems that are «hidden».
  • 62. psappsrv.cfg  DBName=...  DBType=...  UserId=PS - # default PeopleSoft admin  UserPswd=<encrypted password> # admin password  ConnectID=people # default connection id  ConnectPswd=<encrypted password>
  • 63. PeopleSoft Administrator Role (PS user) This role does NOT have any access to critical business data.
  • 64. ConnectID  Real Database ID  Required to establish the initial connection to the database  Used by AppServer for initial authentication with PeopleSoft database  Access to encrypted “AccessID”
  • 65. PeopleSoft AppServer Sign In  Initial connection.  The application server uses the ConnectID and UserId specified in its configuration file (PSAPPSRV.CFG) to perform the initial connection to the database.  The server performs a SQL Select statement on the security tables.  Check UserID and UserPswd  The server reconnects using the AccessID.  The application server begins the persistent connection to the database that all users use to access the database.
  • 66. Getting encrypted AccesID $ sqlplus «ConnecId»@«db ip address»:1522/«dbname»
  • 67. $ select STM_ACCESS_PART1, STM_ACCESS_PART2, STM_ACCESS_ID, STM_ACCESS_PSWD from SYSADM.PSACCESSPROFILE; Getting encrypted AccesID
  • 68. $ stmdecr <STM_ACCESS_PART1> <STM_ACCESS_PART2> <STM_ACCESS_ID> <STM_ACCESS_PSWD> Getting encrypted AccesID
  • 69. stmdecr stmdecr will be published soon … :|
  • 70. Conclusion • Implement latest CPUs • Perform external Security Audits
  • 71. Read our blog erpscan.com/category/press-center/blog/ Join our webinars erpscan.com/category/press-center/events/ Subscribe to our newsletters eepurl.com/bef7h1 USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 Phone 650.798.5255 EMEA: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam Phone +31 20 8932892 erpscan.com inbox@erpscan.com Thank you Dmitry Yudin Security Researcher at ERPScan d.yudin@erpscan.com