Sunday, March 12, 2006

Security Part 2

It was an awesome week! (I mean the last week) I went out trekking with my cousins. I was out of work for two weeks and I make sure that I do not go to the computer when I’m on a break. I’m back to work today and back blogging. I just finished preparing a presentation and started to hack PeopleSoft. Thought I would reveal some aspects of it here.

Firstly, PeopleSoft PeopleTools Team is great. I hacked into the first level (I’ll not precisely mention the route which I took, but it is all there in the post “Security”.) and found out the private key used by PeopleSoft to encrypt the password. My God! What a Key (It just made me feel what it said)! (As before, I’ll not give it out.) Then started doing a Google search for this particular weakness of PeopleSoft at the Development Environment in two-tier and this is what I found,

http://seclists.org/lists/bugtraq/2006/Feb/0080.html

I would like to quote a few points from the above mentioned link; PeopleSoft (ORACLE) has provided the following solution…

Vendor Solution: (Provided by Oracle)

In Enterprise PeopleTools 8.47 and above, PeopleTools provides Triple DES encryption (i.e 3DES) for increased data security. The PSCipher Utility has been enhanced to provide a command line utility to encrypt a variety of text values stored in various configuration files throughout your system. In addition, the PSCipher includes the following features:

  • Dynamic Key generation: The ability to generate unique encryption keys.
  • Version maintenance: The key file maintains a version history of all previous versions of the keys, which enables text previously encrypted to be encrypted or decrypted.


Important additional information:


It is important to provide proper scope to the usage of PSCipher.

PeopleSoft does NOT use PSCipher for the following encryption purposes:

PSCipher is NOT used for the encryption of ANY application data -

PSCipher is NOT used for the encryption of ANY data stored in the PeopleSoft DB.

ALL user passwords stored in the DB are hashed using the SHA-1 Secure Hash Algorithm

At last with PeopleTools 8.47 we have Dynamic Key generation and version maintenance. But still it can be hacked! How safe is safe? This time I’ll not tell how I’m planning to break this Dynamic Key security, but if you see closer you could probably see the weakness.

So, what is my purpose with hacking PeopleSoft? (I’ll not be unethical in retrieving sensitive information.) It is got to do with the Tools that I have; I just want to add the feature of PeopleSoft USER ID capability to the Tools. One of the Tools which I’ve built will actually run all the SQRs (in any given folder) in one shot, but it requires access id and password. This did not find much appreciation because Reports were to be run with specific user privileges, for this I wanted the users to create separate access ids with different grant permissions and then use the Tool. Users are against the concept of creating separate ids and want it to be done with PeopleSoft User id. This can only be achieved if I could decrypt the PeopleSoft encrypted password and use it to connect to the database (Initial connection to retrieve passwords can be done using connect id and password).

Although the other aspect which has to be considered for the SQR tool is that Application Server will have direct access to the SQRs but I’ll need the exact location of the files to be provided to the utility and most users will not have this information. Trying to work something out for this. If I dynamically accept SQR locations, user could very well provide a fake location and place a custom SQR with the SQR name that he has access to and write any SELECT or INSERT within it! Security not to be overlooked from my side.

I have lots more to write about (a post on Foreign Key usage in ERP….a post on removing Menus from PeopleSoft….). I would reserve these for sometime later in this week. Think it is going to be a hectic week, two-week work pending!

PS: Started learning Java. I tried coding a Message Box….oooppphhh…it sure is one coding language…then settled for printing in the console.

No comments: