[ERPSCAN-14-023] Oracle PeopleSoft PeopleTools – insecure AccessID encryption

Application:Oracle PeopleSoft PeopleTools
Versions Affected: Oracle PeopleSoft PeopleTools 8.53 / 8.50
Vendor URL: http://www.oracle.com
Bugs: Insecure encryption
Exploits: YES
Reported: 11.06.2014
Vendor response: 12.06.2014
Date of Public Advisory: 17.10.2014
Reference: Oracle CPU October 2014
Author: Alexey Tyurin (ERPScan)

A remote attacker can get access to the database.
AccessID password is stored in XOR format, which gives the opportunity to get the plain text version of the password using ConnectionID account access to the database.

Business Risk
The vulnerability can lead to disclosure of the information on the system without authentication and can help an attacker to penetrate the system. An attacker can use the information from this service for the subsequent attacks which will lead to illegal access to the business-critical information.

PeopleSoft application server (and some tools) connects to the database with a ConnectionID. The server stores it in the plain text format in some configs.
But ConnectionID only gives access to some tables. For high privileged operation, the application server uses AccessID, which is stored in the database (accessible with ConnectionID).
Oracle documentation says that the AccessID password is encrypted, but it is wrong. The password is just XOR’ed with a hardcoded value.
We have made a small tool which converts “encrypted” AccessID passwords into the plain text.