lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 19 Oct 2008 08:41:47 +0200
From: "Amichai Shulman" <shulman@...erva.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: CVE-2008-4000: Oracle PeopleTools -
	Authentication Weakness


Oracle PeopleTools - Authentication Weakness



Background


PeopleSoft Enterprise applications architecture is built around the
proprietary PeopleTools technology. PeopleTools user authentication
mechanism requires a user to provide the correct credentials in order to
gain access through the web interface. An account lockout policy
disables a user account if an incorrect password is entered a specified
number of times over a specified period. 


Scope


Imperva's Application Defense Center conducts extensive research on
enterprise applications on behalf of its customers, including research
on applications like PeopleSoft, SAP and Oracle EBS. During its
research, the team has identified a security flaw related to PeopleTools
authentication mechanism and account lock-out policy. 


Findings


By observing the system's response to repeated authentication attempts,
an attacker can brute force valid user credentials even though the
account lock-out mechanism is enabled. The attacker could use the
compromised credentials once the account is unlocked by an
administrator. 


Details


Upon a false login attempt, the message "Your User ID and/or Password
are invalid" is returned to the user. When the correct password is
entered, and the account has been locked, the message "Your account has
been disabled" is returned. Therefore an attacker can conduct a brute
force attack even after the account has been locked. 

Once the account is unlocked, PeopleTools does not enforce password
changing. Therefore the compromised set of credentials can be used to
break into the unlocked account. 


Exploit


Brute force login to the application until the correct password is
detected. 


Vulnerability ID


CVE-2008-4000 


Tested Versions


Vulnerable
PeopleTools 8.49 (8.4x) 


Vendor's Status


Vendor notified on August 4, 2008. Patch released by vendor on October
14, 2008. 


Workaround



*	Within PeopleSoft, select the "Enable password controls"
checkbox and then define the number of days that a password is valid.
The actual number of days does not matter for this purpose. 
*	When an account is locked because of too many login attempts,
the administrator can unlock the account and then manually set the
status of the password for the account to "expired". This will force the
user to change the password during the next login. 
*	An alternative workaround is to create a custom Web application
policy in the SecureSphere Web Application Firewall. The policy match
criteria would include the URL prefix of the PeopleSoft login page (the
action URL for the authentication form) and the number of occurrences
within a specified period of time.


Discovered by:


Yaniv Azaria of Imperva's ADC 


Disclaimer


The information within this advisory is subject to change without
notice. Use of this information constitutes acceptance for use in an AS
IS condition. Any use of this information is at the user's own risk.
There are no warranties, implied or expressed, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information.

Copyright (c) 2007 Imperva, Inc.
Redistribution of this alert electronically is allowed as long as it is
not edited in any way. To reprint this alert, in whole or in part, in
any medium other than electronic medium, adc@...erva.com for permission.
 
Amichai Shulman
CTO
 
125 Menachem Begin St.
Tel Aviv 67010
Israel

(972) 3-6840103 Office
(972) 54-5885083 Mobile
(972) 3-6840200 Fax
shulman@...erva.com

Download Scuba by Imperva
FREE Database Assessment Scanner
www.imperva.com/scuba <blocked::http://www.imperva.com/scubam> 
 

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ