Enterprise resource planning systems are the unexplored continent of vulnerability research, in spite of the fact that these massive, critical business systems support the inner workings of many large corporations and IT organizations.
A recent run of bugs in SAP, and a presentation at this week’s Hack in the Box conference in Amsterdam, however, could turn the tide and open some eyes to ERP security issues.
Researcher Alexey Tyurin of ERPScan in Palo Alto, a firm specializing in SAP security, this week threw back the covers on a number of serious issues present in Oracle PeopleSoft. A dozen vulnerabilities were discussed during Tyurin’s HITB talk (.PDF), including a trio of architectural and configuration missteps that put business data at risk ranging from employee and customer personal information to supply chain data to other business critical information that could expose a company to corporate espionage and reputational damage.
Tyurin said that patching the issues could pose problems for admins managing these systems, keeping organizations exposed for extended periods of time.
“Three configuration problems were found where patching could be difficult—and those are the most critical issues,” Tyurin said in an email to Threatpost. “So customers may be at risk for a long time if they don’t implement patches and reconfigure systems properly.”
The most critical weakness was found in the token generation process for single sign-on, Tyurin said.
“Simply saying, every user (even public users from the Internet) can escalate his privileges to administrator by brute forcing a special Node-password located in the cookie-token,” Tyurin said.
The Node-password, Tyurin said, is hashed using the aging SHA-1 algorithm and the researcher said it could be broken using a local brute-force attack on the cheap.
The token Tyurin refers to is generated for certain Web-facing services that are available prior to registration, such as password reset forms, or job applications. PeopleSoft systems, he said, create a special user with minimal rights in order to access those services. The user is issued a token called PS_TOKEN that can be brute-forced using a $500 GPU card capable of cracking an eight-character alphanumeric password within a day.
“PS_TOKEN is generated based on the SHA-1 hashing algorithm, but with a slightly different salt size, so that current hash brute-forcing tools will not help,” Tyurin said. “But with an easy modification, it’s possible.”
The researcher wrote a script that carries out a brute-force attack against the token and generates a new cookie, that he said has worked in pen-testing engagements against PeopleSoft systems. Tyurin said PeopleSoft has yet to patch this issue.
“The only way now is to set a very strong password for node, or change it to certificate authentication instead of password authentication,” he said. “Those changes will require some configuration, especially if the customer uses multiple nodes, and of course, they will need to turn off systems for some time to reconfigure it. Every time they stop such systems, they stop business processes and can lose profits, for example.”
Two other architectural issues were unveiled at HITB. The first involves a weak authentication protocol that can allow a local user to escalate privileges and gain full access to the PeopleSoft application and database. Tyurin said Oracle informed ERPScan that the issue was patched.
“Taking into account that this vulnerability was found in the authentication process, it requires updates for client and server applications,” Tyurin said. “In large organizations with thousands of client applications, it will be challenging to patch.”
The second has to do with default credentials in PeopleSoft and its Weblogic application server, which is implemented alongside PeopleSoft. Tyurin said that Oracle has informed his company that default passwords have been removed in new versions of the software.
“While Oracle is telling us that this problem is only for a demo system, we can disagree as we saw some production implementations during our pen-tests where those default passwords exist,” Tyurin said. “So, the truth is somewhere in the middle. Not every implementation is vulnerable, but some of them are definitely vulnerable, and those are not only demo installations. This issue allows to use any of the default users to upload a web-based shell.”
In the meantime, Tyurin expects more ERP security research to emerge in the coming months.
“It’s hard to dive into those systems, hard to install, analyze and understand business-logic,” Tyurin said. “But once you are into this area, you can relatively easily find very interesting and critical findings.”