This document summarizes security vulnerabilities in PeopleSoft systems. It describes how an attacker could potentially gain remote code execution on the PeopleSoft web server and application server. It then explains how the attacker could use this access to decrypt database credentials and escalate their privileges to compromise sensitive user data and business systems. The document provides details on specific bugs like buffer overflows and hardcoded credentials that could be exploited at different points in this attack chain. It aims to demonstrate a potential "hardcore" attack scenario and the risks of unpatched PeopleSoft instances.
7. Attack Targets
Personal information
SSN
Salary data
Payment information
Credit card data
Bank account data
Bidding information
- RFP
- Prices
8. Attack Targets
Espionage
Theft of financial information
Corporate trade secret theft
Theft of supplier and customer lists
Stealing HR data (employee data theft)
Sabotage
Denial of service
Tampering with financial reports
Fraud
- False transactions
- Modification of master data
18. PeopleSoft Pure Internet Architecture
These 3 main components are common for all PeopleSoft
applications.
All applications mainly differ only in business logic that exists in
a database.
Pwning these components is equal to Pwning all application
types.
19. Attack from Internet hardcore
scenario
1. Get RCE on Peoplesoft WebServer
Recon Application Server in internal network
1. Get RCE on Application Server
On AppSvr side decrypt low level DB credentials.
1. Gain low level access to a database.
Get and decrypt high-level DB credentials from the db.
AccessID - «this account is the key to the kingdom»
1. Profit
31. Remote attack: hardcore scenario
1. Get RCE on Peoplesoft WebServer
Recon Application Server in internal network
1. Get RCE on Application Server
On AppSvr side decrypt low level DB credentials
1. Gain low level access to a database.
Get and decrypt «AccessID» from db.
AccessID - «this account is the key to the kingdom»
1. Profit
36. PeopleSoft AppServer
Many processes = large attack surface
But … most of them are binary, native code applications.
37. PeopleSoft AppServer
After some research, we have found some interesting bugs. Now we
are trying to write exploits for them.
But we don’t have RCE on AppServer yet.
38. PeopleSoft AppServer
After some research, we have found some interesting bugs and now
we are trying to write exploits for them.
But we don’t have RCE on AppServer yet.
39. Remote attack hardcore scenario
1. Get RCE on Peoplesoft WebServer
Recon Application Server in the internal network
2. Get RCE on Application Server
On the AppSvr side decrypt low level DB credentials
1. Gain low level access to a database.
Get and decrypt «AccessID» from the db.
AccessID - «this account is the key to the kingdom»
1. Profit
43. AppServer RMI service
Java Remote Method Invocation (Java RMI) is a Java API that performs
remote method invocation, the object-oriented equivalent of remote
procedure calls (the RPC), with the support for direct transfer of
serialized Java classes and distributed garbage-collection.
45. AppServer RMI service
By using this service, we can get:
• AppSvr runtime info
• AppSvr Network statistic
• Java Memory pool info
• CPU Load info
• FileStore Information
• ...
• Access to AppServer logs
46. AppServer RMI service
By using this service, we can get:
• AppSvr runtime info
• AppSvr Network statistic
• Java Memory pool info
• CPU Load info
• FileStore Information
• ...
• Access to AppServer logs
47. AppServer RMI service
In some cases, access to AppServer logs can lead to a leakage of an
authentication token. For example, if debug logging is enabled on the
server side.
49. RCE on PeopleSoft WebServer side
We can read TOKEN from AppServer log:
If debug mode is on
It seems that debug mode is not common for PeopleSoft
production servers
If we are lucky enough, we can get access to some account tokens.
What we have?
50. What we have?
1. Get RCE on Peoplesoft WebServer
Recon Application Server in the internal network
1. Get RCE on Application Server
On the AppSvr side decrypt low level DB credentials
We got partial “access” to Application Server
1. Gain low-level access to a database.
Get and decrypt «AccessID» from db.
AccessID - «this account is the key to the kingdom»
56. Attack Scenario
Get access to PeopleSoft web server
Recon AppServer
Passively dump credentials from AppServer
Collect user names and passwords.
Find accounts with high business roles in the system
…
Profit
57. What if we had RCE on the AppServer
The main target of those pentesting AppServer is psappsvr.cfg
But values in psappsvr.cfg are «encrypted».
64. ConnectID
Real Database ID
Required to establish the initial connection to the database
Used by AppServer for initial authentication with PeopleSoft database
Access to encrypted “AccessID”
65. PeopleSoft AppServer Sign In
Initial connection.
The application server uses the ConnectID and UserId specified in
its configuration file (PSAPPSRV.CFG) to perform the initial
connection to the database.
The server performs a SQL Select statement on the security tables.
Check UserID and UserPswd
The server reconnects using the AccessID.
The application server begins the persistent connection to the
database that all users use to access the database.