Oracle PeopleSoft applications include different critical business systems like HRMS, FMS, SCM, CRM, etc. They are widespread in the world (about 50 % of Fortune 100). In addition, some of these systems (especially HRMS) are accessible from the Internet. Nevertheless, there is almost no research on the security of PeopleSoft applications. Oracle publishes basic information about vulnerabilities in the applications on a regular basis, but it’s not enough for penetration testers. In addition, the uncommon internal architecture of PeopleSoft applications makes black-box testing much harder. Public news about successful attacks against PeopleSoft shows up from time to time and in this talk, I’ll try to fill this gap.
I’ll show and describe the main architecture of PeopleSoft applications, “design” decisions, and weak spots. The talk will be shaped as a guide for pentesters: a step-by-step how-to on attacking PeopleSoft applications and getting deeper. I will present vulnerabilities I’ve found and also show several different attack vectors which allow taking control over PeopleSoft applications. Some of the vulns and vectors (about 30 %) were shown in our workshop at BlackHat 2013 Las Vegas, but we have now conducted much deeper research and have new vulns, new attacks and ways to bypass some of Oracle’s patches.
In the end, I will present a new universal attack and tool for authentication bypass in PeopleSoft applications. It uses a widespread misconfiguration, so Oracle is unable to close it with a patch. Technical information about the attacks will include comprehensive exploitation and defense guidelines.