anatomy of a responsible disclosure zero day vulnerability in oracle bi publisher by vishal karlo
DESCRIPTION
Oracle Business Intelligence (BI) Publisher is a reporting tool to manage and deliver reports. It can be integrated with various data sources like Oracle DB, Oracle BI, SQL server, PeopleSoft, Siebel, web services etc. to generate flexible reports in different layout types like Word, Excel, PDF etc.Oracle BI Publisher Enterprise 10.1.3.4.2 was vulnerable to a Zero Day Cross-Site Request Forgery (CSRF) security flaw whereby the attacker could force the authenticated user to perform malicious actions of interest to the attacker. In this case a successful exploitation of the administrator account could lead to malicious adding/deletion of users, malicious configuration for report delivery etc. This module being a reporting tool a successful exploitation of the CSRF vulnerability could severely affect the confidentiality, integrity and availability of data. Oracle had been very cooperative in acknowledging and addressing this issue. A patch for this vulnerability was released as part of their Critical Patch Update (CPU) on April 17 2012.TRANSCRIPT
Zero Day Vulnerabi l i ty in Oracle BI Publ isher
Vishal Kalro
Anatomy of Responsible Disclosure
- 2 -
Agenda
Myth & Reality of Zero Day
Oracle BI Publisher and the Zero Day Exploit
Responsible Disclosure
The Saga Continues
Q & A
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day 3
Zero Day Vulnerability
Zero Days are increasingly being used as Arsenal for Cyber warfare
Myth & Reality of Zero Day
Always Existed
Known When Exploited
No Alien Science
Affects - Corporates & End users
Oracle BI Publisher
1. MS Office2. PDF3. XML
Templates
Oracle BI Publisher - Architecture
Oracle BI Publisher
Sources
Oracle SQL Server
Peoplesoft, Siebel
Java, C++
SAP
Web Services
I/P
PDFRTFHTMLExcelXMLA
O/P
EmailPrinter
Fax
Repository
Destination
7
Admin authenticated to Application
1Oracle BI Publisher
Administrator
Attacker
2 Attacker sends email with malicious link
3
Admin opens mail and clicks on
malicious link
Malicious Users Created
Reports sent to
attacker
Exploit Scenario
4
Responsible Disclosure
Lifecycle of Responsible Disclosure
Com
mun
icatio
n
Vendor Response
Vendor Response
teams
Patch ReleasePublic
Disclosure
Research
Continuous research on security flaws and vulnerabilities
Vendor & Product companies have well established communication and response mechanismsSecured channels24x7 accessibility
The zero day vulnerabilities are communicatedSecured channels are used to communicate
Vendor does preliminary analysis to confirm the bugVendor communicates back to the researcher
Vendor develops the patch Patches are developed and released based on the severity of the vulnerability
Details of the Flaw are published on Blogs, Info Sec sites, vendor sites etc.
Lifecycle of Responsible Disclosure
The Saga continues
11
News Bits on Zero Day
Operation Aurora2009
Stuxnet2010
RSA Attack 2011
JRE & IE 2012
And so on…
QUESTIONS ?
12