Pwning Oracle EBS for Real Profit a.k.a. “Show Me The Money”
Every medium to large organizations across the world uses some type of ERP application to process their most sensitive business information. However, ERP systems, such as Oracle E-Business Suite, not only store critical data like social security numbers or credit card information. They also provide a set of financial applications that are used to process invoices and payments involving the movement of millions of dollars per week. But what happens when attackers gain privileges in one of these systems? Most of them simply don’t know how to make profit out of an ERP. They fail to see the potential of their target and end up exploiting non-critical resources to get economic revenue. On the other hand, malicious insiders, who have experience and access to ERP systems, do not have the technical knowledge or the tools to take advantage of the existing vulnerabilities. In our talk, we will combine the best of both sides. We will begin by presenting the attacker’s perspective, by showing two critical vulnerabilities we have found in our research. The first is a Java Deserialization of untrusted data, leading to a SQL injection which an unauthenticated attacker can use to obtain control of the Oracle Database and of the entire application. Finally, we will show an Arbitrary File Upload, used to overwrite an executable CGI Perl script that can be referenced and executed by another servlet. Leveraging this vulnerability, an attacker would be able to execute arbitrary OS commands without any authentication. To close the talk, we will demonstrate an attack in which the target system is tricked to print a real cashable check, that will be given away to a lucky person in the audience!
Gaston Traberg is Security Researcher at Onapsis. After many years working as a Researcher and Pentester, Gaston became part of Onapsis focusing his work on ERPs security. As result of his research, he has reported and published several vulnerabilities in SAP and Oracle products. He also contributes to the development of cutting-edge technologies to boost Onapsis products.
Martin Doyhenard is a security researcher at the Onapsis Research Labs. His work includes performing security assessment on SAP and Oracle products and detecting vulnerabilities in ERP systems. His research is focused on Web security and reverse engineering.