Site icon psadmin.io

Limit PeopleSoft Vulnerabilities

Dan Iverson

Last week a presentation at Hack in the Box, “Oracle PeopleSoft Applications are Under Attack”, focused on vulnerabilities in PeopleSoft applications. The presentation showed a number of ways that hackers could get access to a system. While some of the issues need to be fixed by Oracle (like poor encryption), there are a number of steps you can take to reduce the risk of someone gaining unauthorized access to your system.

For reference, here is the presentation and here is the white paper.

Database Security

The first part of the presentation talks about back-end attacks (gaining access to the database). For someone who is on the internal network, there are a few ways to grab the Access ID.

Access ID Attacks

First, the Connect ID and password are often left to the default people and peop1e. The Connect ID has access to the PSACCESSPRFL table (by design), but the values in PSACCESSPRFL are not securely encrypted. According to the presentation, PeopleSoft uses a simple XOR operation to encrypt the values. XOR encryption is fairly simple to decrypt compared with newer encryption technologies. Update 5/11/2016 I have been informed that this is incorrect. XOR is not used for the Access ID and Password. The encrypt is 3des-168-cfb, which means it requires a 24 byte key, and a 64bit Initialization Vector, which is far harder to decrypt. End update The presentation also mentions that people often choose a Connect ID password that is the same as the Access ID. DO NOT DO THAT! Passwords should be unique and complex (as possible) so that one account doesn’t compromise other accounts.

This attack vector does bring up a concern that Oracle should address in a future PeopleTools release. Starting with 8.53, PSORPDEFN added a OPERPWSDSALT field that increased the complexity of password encryption. This functionality should be extended to the Access ID Password. Additionally, the limitation of an 8 character password for the Access ID password needs to be fixed.

Second, if someone has access to a developer machine there a two ways to grab the Access ID and password. One is to grab the configuration from the Windows Registry and decrypt the password from there. The encryption in the config file appears to be XOR based. The other method is to connect App Designer via 3-Tier connection and grab the network packets because the Tuxedo protocol is a plain text protocol. When developer tools communicate with the application server, their User ID and password are sent with each request. Plain text SQL is also sent via Tuxedo, and also executed under the Access ID, which is another potential issue.

In reality, the second attack requires far more access that most users have because it requires a 3-Tier connection along with App Designer access. It would be good for Oracle to start updating the Tuxedo protocol, but addressing the issues in the first attack would be the top priority. Another way to grab the Connect ID, is to open the psappsrv.cfg or psprcs.cfg files used by the Tuxedo domains. If a user has file server access to the process scheduler (very common for developers), they often times have read access to the process scheduler domain directory. If an administrator does not encrypt the Connect ID password when building the domain, anyone with read access can find the password.

Locking Down Database Access

Web Security

The second part of the presentation focused on front-end attacks, or attacks through the web server. Front-end attacks are targeted at WebLogic, the PIA and other servlets delivered by PeopleSoft.

WebLogic Security

Attacks When deploying a Single Server PeopleSoft site, the WebLogic console is accessible on the same server & port as the PIA. Using http://server:port/console, anyone can access the WebLogic console login page. The default user and password for the console is system and Passw0rd in newer PeopleTools versions. If you do not change the password, a quick Google search can let anyone into the WebLogic console.

If you create a multi-server site, the Admin server will run on a separate port (or even server). You should still change the default passwords, but external hackers will have to discover the admin server and port before they can attempt an attack. There are two more accounts in WebLogic that can also expose a vulnerability: monitor and operator. These accounts are used for monitoring your WebLogic instance, but they offer enough access to the console that a hacker could install a .war application to run.

Locking Down WebLogic Access

Servlet Attacks

Next in the list of web-based attacks are the servlets installed on the web server. There are a number of servlets installed on the web server like PSIGW, xmllink, etc. If you open up your web server directory structure (or through the WebLogic console) you can see the default servlets.

Some servlets handle XML processing (like PSIGW) and are susceptible to XXE (XML External Entity) attacks. XXE vulnerabilities allow for external code to be run on your web server.

Another attack vector (via XXE) is to read config files for passwords stored on your web server, like the integrationGateway.properties file for the PSIGW servlet. Passwords in this file can be encrypted, but the encryption uses the default 3DES key. You can tell this by looking at the beginning of the encrypted password string and seeing {V1.1}.

The last servlet attack mentioned is against the Integration Broker directly. The IB supports remote configuration (e.g, editing the integrationGateway.properties file via the PIA) and with a specially crafted URL an external system could read or overwrite the IB config file. Many organizations don’t change the default password (administrator and password) for the integrationGateway.properties file. This leaves the system vulnerable to an attack.

Locking Down Servlet Security

Single Signon Attacks

The last topic of the presentation focused on the Single Signon feature between PeopleSoft systems. PeopleSoft SSO is handled by the PS_TOKEN browser cookie. If a browser session contains a valid PS_TOKEN, and the issuing system is trusted by other PeopleSoft applications, users are considered authenticated and will have access to the application. The PS_TOKEN is generated using these values:

By default, PeopleSoft uses standard node names for HR (PSFT_HR), FS (PSFT_EP) and the other applications. Since all but the Node Password are potentially known ahead of time, the SHA1 Hash can be calculated and compared against a PS_TOKEN to identify the Node Password.

While you could remove the trust from any nodes (PSTRUSTNODES table), that would break many features in the application (like the Report Repository and Single Signon). Removing node trust isn’t a great option.

Another way to get a PS_TOKEN is to open a page where the system automatically logs in as a public user. For example, a landing page or the PeopleSoft “Forgot My Password” page require the Web Profile to have a public user configured. If the public user has lots of security, any knowledge user can navigate into pages inside the application using the PS_TOKEN.

Locking Down SSO Access

GreyHeller has an excellent blog post with more details on the PS_TOKEN vulnerability and they show how their own tools can help with this security risk.

Recommendations for Oracle

With proper configuration, many of the vulnerabilities in this presentation can be properly mitigated. The main theme in the presentation, and in this article, is to not use default, shared or simple passwords.

There are some issues identified in the presentation that are out of our control. Oracle will need to make the changes in PeopleTools to address some of these vulnerabilities. To help bring visibility to the issues, filing a feature request SR with Oracle will show that there is user interest in making the product more secure. Here are three suggested SR’s to file:

Exit mobile version