[Full-disclosure] CVE-2008-4000: Oracle PeopleTools - Authentication Weakness

["Amichai Shulman" <shulman@xxxxxxxxxxx>]

Oracle PeopleTools - Authentication Weakness



Background


PeopleSoft Enterprise applications architecture is built around the
proprietary PeopleTools technology. PeopleTools user authentication
mechanism requires a user to provide the correct credentials in order to
gain access through the web interface. An account lockout policy
disables a user account if an incorrect password is entered a specified
number of times over a specified period. 


Scope


Imperva's Application Defense Center conducts extensive research on
enterprise applications on behalf of its customers, including research
on applications like PeopleSoft, SAP and Oracle EBS. During its
research, the team has identified a security flaw related to PeopleTools
authentication mechanism and account lock-out policy. 


Findings


By observing the system's response to repeated authentication attempts,
an attacker can brute force valid user credentials even though the
account lock-out mechanism is enabled. The attacker could use the
compromised credentials once the account is unlocked by an
administrator. 


Details


Upon a false login attempt, the message "Your User ID and/or Password
are invalid" is returned to the user. When the correct password is
entered, and the account has been locked, the message "Your account has
been disabled" is returned. Therefore an attacker can conduct a brute
force attack even after the account has been locked. 

Once the account is unlocked, PeopleTools does not enforce password
changing. Therefore the compromised set of credentials can be used to
break into the unlocked account. 


Exploit


Brute force login to the application until the correct password is
detected. 


Vulnerability ID


CVE-2008-4000 


Tested Versions


Vulnerable
PeopleTools 8.49 (8.4x) 


Vendor's Status


Vendor notified on August 4, 2008. Patch released by vendor on October
14, 2008. 


Workaround



*       Within PeopleSoft, select the "Enable password controls"
checkbox and then define the number of days that a password is valid.
The actual number of days does not matter for this purpose. 
*       When an account is locked because of too many login attempts,
the administrator can unlock the account and then manually set the
status of the password for the account to "expired". This will force the
user to change the password during the next login. 
*       An alternative workaround is to create a custom Web application
policy in the SecureSphere Web Application Firewall. The policy match
criteria would include the URL prefix of the PeopleSoft login page (the
action URL for the authentication form) and the number of occurrences
within a specified period of time.


Discovered by:


Yaniv Azaria of Imperva's ADC 


Disclaimer


The information within this advisory is subject to change without
notice. Use of this information constitutes acceptance for use in an AS
IS condition. Any use of this information is at the user's own risk.
There are no warranties, implied or expressed, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information.

Copyright (c) 2007 Imperva, Inc.
Redistribution of this alert electronically is allowed as long as it is
not edited in any way. To reprint this alert, in whole or in part, in
any medium other than electronic medium, adc@xxxxxxxxxxx for permission.
 
Amichai Shulman
CTO
 
125 Menachem Begin St.
Tel Aviv 67010
Israel

(972) 3-6840103 Office
(972) 54-5885083 Mobile
(972) 3-6840200 Fax
shulman@xxxxxxxxxxx

Download Scuba by Imperva
FREE Database Assessment Scanner
www.imperva.com/scuba <blocked::http://www.imperva.com/scubam> 
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/