Nobody will argue that IT security is vital in our modern world, particularly for businesses. Cybercrime is getting worse and systems become more vulnerable with time, making organizations more susceptible to cyberattacks and financial losses. That's why the topic of cybercrime demands more attention and cyber-awareness.

ERP security is a separate part of IT security. Nowadays ERP encompasses a huge range of various tools and services written on the base of different technologies. It's critical to possess proper knowledge in the security field and convenient tools for managing.

When we were exploring Oracle E-Business Suite security, we noticed an absence of present-day convenient and free security tools on the market that can help simplify security assessment. There were bunches of various modules or scripts to check one or two issues narrowly. We started developing our own solution, the  first free Oracle E-Business Suite security scanner—ERPSCAN EBS Pentesting tool.

What is it? It is a "wrapper" for multiple EBS exploits developed by our research team. All modules are represented in the Python language. Currently, there are four main modules (1 of them uses EBS Users' passwords decryptor):

• EBS DB Users brute-force;
• EBS Users brute-force;
• EBS Java Serialization test;
• EBS XML Serialization test.

For now, we have published just four of them. If this tool becomes popular, we will continue this project and release more our private modules.

Pentesting Oracle EBS Database

Oracle EBS DB Users Brute-Force

Script brutes standard DB users with pre-defined passwords. Also, it can grab EBS users' passwords from APPS.fnd_user table and if password hashing is not on, it decrypts them with the ebsDecrypt.py module. All findings will be saved in dbCheckResults.txt file.

Help

You should install cx_Oracle for working.

usage: dbUsersBforce.py [-h] [-H HOST] [-P PORT] [-s SID] [-d DEC] [-v]

EBS DB Users brute-force Python Script. It tests for default DB users with the predefined passwords. Also it can check
whether any bruted DB user can decrypt EBS Users passwords (of course if Password Hashing is not implemented).

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  DB host (default: 127.0.0.1). Example: ebs.example.com
  -P PORT, --port PORT  DB port (default: 1521)
  -s SID, --sid SID     DB SID (default: EBSDB)
  -d DEC, --dec DEC     Try to decrypt EBS Users Passwords? Y/N
  -v, --verbose         verbose mode

Usage

$ dbUsersBrutforce.py -H ebs.example.com -s EBSDB -d Y

Oracle EBS Password Decryption

Script can decrypt EBS users passwords if apps user passwords is known. It handles new (SHA-1 + 3DES) and old (SHA-1-like + ARC4) encryptions.

Help

You should install pyjks for working.

usage: ebsDecrypt.py [-h] [-k KEY] [-d DATA]

Script can decrypt EBS users' passwords in case `apps` user passwords is known.
It handles `new` (SHA-1 + triple-DES) and `old` (SHA-1-like + RC4) encryption.

optional arguments:
  -h, --help            show this help message and exit
  -k KEY, --key KEY     APPS user password (default: APPS
  -d DATA, --data DATA  Decrypted data (test value: C4E9B591098EA0)

Usage

apps user password should be uppercase.

$ decrypt.py -k APPS -d ZH4715DC7E9C2213F7CD56D44CE1CB8625FB71D0F4935EFEAE5B8CA66117B9C2D6A1E733BA80005F4CD19706A03218E8C5E4

Pentesting Oracle EBS Application

EBS Users Brute-Force

Script brutes EBS default users with predefined passwords. It handles two types of authorization versions (don't mix with SSO!).

Help

usage: ebsUsersBforce.py [-h] [-H HOST] [-P PORT] [-s] [-t TIMEOUT] [-v]

EBS Users brute-force python script brutes EBS default users with predefined passwords.

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  EBS host (default: 127.0.0.1). Example: ebs.example.com
  -P PORT, --port PORT  EBS web port (default: 8000)
  -s, --ssl             enable SSL
  -t TIMEOUT, --timeout TIMEOUT
                        HTTP connection timeout in second (default: 10)
  -v, --verbose         verbose mode

Usage

$ ebsUsersBforce.py -H ebs.example.com -P 8000

Oracle EBS Java Serialization Test

EBS Python script for Java Serialization sleep payloads testing based on Apache Commons Collections 3. It sends special sleep payloads and checks the response time value. If the response time value is more than 10 seconds, then the testing host is potentially vulnerable to Java Deserialization attacks.

Help

usage: javaSerDetect.py [-h] [-H HOST] [-P PORT] [-u URL] [-s] [-t TIMEOUT]
                        [-v]

EBS python script for Java Serialization sleep payloads testing based on Apache Commons Collections 3.

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  EBS host (default: 127.0.0.1). Example: ebs.example.com
  -P PORT, --port PORT  EBS web port (default: 8000)
  -u URL, --url URL     EBS target URL (default: OA_HTML/iesRuntimeServlet)
  -s, --ssl             enable SSL
  -t TIMEOUT, --timeout TIMEOUT
                        HTTP connection timeout in second (default: 15)
  -v, --verbose         verbose mode

Usage

$ javaSerDetect.py -H ebs.example.com -P 8000

Oracle WebLogic Level Checks

Oracle EBS XML Serialization test

Python script for XML Serialization sleep payload testing based on CVE-2017-3506 & 10271. It sends special sleep payloads and checks the response time value. If the response time value is more than 10 seconds, then the testing host is potentially vulnerable to XML Deserialization attacks.

Help

usage: xmlSerDetect.py [-h] [-H HOST] [-P PORT] [-u URL] [-s] [-t TIMEOUT]
                       [-v]

EBS python script for XML Serialization sleep payload testing based on `CVE-2017-3506 & 10271`.

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  WebLogic host (default: 127.0.0.1). Example: ebs.example.com
  -P PORT, --port PORT  WebLogic port (default: 7001)
  -u URL, --url URL     WebLogic target URL (default: wls-wsat/CoordinatorPortType)
  -s, --ssl             enable SSL
  -t TIMEOUT, --timeout TIMEOUT
                        HTTP connection timeout in second (default: 15)
  -v, --verbose         verbose mode

Usage

$ xmlSerDetect.py -H ebs.example.com -P 7001

That's all for today. Download our free ERPScan EBS Pentesting Tool and share it on Twitter.
Keep in touch and follow us on Twitter, Facebook, and LinkedIn and get more information from our ERPScan Research team.