EAS-SEC. Oracle PeopleSoft Security Configuration. Part 5: Open remote management interfaces
In most cases, enterprise applications provide functionality for remote administration of the systems as well as access to various technical services. Such services can be available for connection from the Internet, and, in case of unsafe settings, be remotely managed without any authentication procedure.
PeopleSoft applications are integrated, and most of the remote configuration is performed in Portal by a user with certain privileges. However, there also may be the ability to interact with the PeopleSoft Servlets by sending to them certain commands.
Access to the PeopleSoft Portal functions [EASSEC-PVAG-PS-11]
PeopleSoft Servlet directives provide numerous functions, which come in handy for administration. To use them, append the appropriate directive after the URL:
The password is retrieved from the field auditPWD in Web Profile Configuration. By default, it is “dayoff”. This kind of commands can give us a lot of information about the system configuration. It should be disabled in productive systems.
If auditPWD Custom Property is available and password is default, an attacker can perform any PeopleSoft Hidden Web Server Command to access a service and use functionality that must have restricted access.
As for the example of sabotage, a malicious person can change config files (including ones related to security) and use the
?cmd=reloadconfig switch. The changes the attacker made will take effect without bouncing the PIA service (i.e. without restarting the Web Server), and thus may be left unnoticed by a legitimate user.
Speaking about espionage, an attacker can view used Web Profile configurations and logs, this information can help to plan future attack on the system.
Best practice is to disable auditPWD property in productive systems. To do so, go to PeopleTools > Web Profile > Web Profile Configuration and select the Web Profile to use. In the custom properties tab, there will be a property called auditPWD (type = string) and a value of which is the profile password. Delete a row of this property. If it is not possible, set a more complicated password and periodically change it.
Access to Integration Broker Administration functions [EASSEC-PVAG-PS-12]
Integration Broker Administration provides some remote management interfaces. URLs, used for remote administration are as follows:
If access to these remote management interfaces is not restricted, a malicious person can use them, as a result it can lead to negative consequences. For example, an attacker can perform a sabotage attack by stopping JMS Listening Connector or specify the maximum size for the query results, so that queries won’t be executed as they should. Malefactors can also perform an espionage attack by obtaining log files and other information that can be used to penetrate into the system.
Best practice is to restrict access to PSIGW remote management interfaces. To do so, specify Security Constraints for servlets (e.g. JMSListeningConnectorAdministrator) in web.xml file, located in [PIA_HOME]\webserv\[DOMAIN]\applications\peoplesoft\PSIGW.war\WEB-INF directory. Then restart the Web Server.
Access to the Oracle WebLogic Administration Console [EASSEC-PVAG-PS-13]
PeopleSoft supports Oracle WebLogic web servers, which provide same basic functionality to support PeopleSoft applications, including a console interface for remote management. Each web server has its own way of accomplishing its functionality, and each adds its own features.
The WebLogic Server Administration Console is the main utility to administer and monitor the WebLogic server processes. The management console of WebLogic is accessible via a direct URL, on the same port as PeopleSoft Internet Architecture domain is listening:
What about the T3 protocol? Remote management interface:
Moreover, the Oracle WebLogic UDDI Explorer can be enabled by default. It is used to locate WSDLs to use with the Web service that you are building, modify Private Registry and other. It is accessible via an URL:
WebLogic also supports a range of remote management interfaces which are disabled by default. For example, SNMP, which is often used to monitor the system. By default, it has a community string “public”.
As WebLogic Administration Console is located on the same port as the PeopleSoft Portal, thus it is available for external connections. Therefore, anyone can try to access it with default accounts (see the full list of Oracle PeopleSoft Default Accounts). The attempt is likely to be successful, as users often forget to change the default password.
Once an attacker gets access to a WebLogic server with system account, he or she will be able to perform critical actions:
- Browse a server’s file system and get read access to all files.
- Installing a new application which can lead to remote command execution and even upload a specially-written malware.
Besides, an attacker can use the service to get a lot of useful information such as software versions, JDK versions, WebLogic settings, a lot of URLs, which can be used for planning further attacks.
Best practice is to restrict access to Web Server Administration Console interface and other remote management interfaces (e.g. SNMP). Also, it is recommended to change default credentials.
To disable access to the Administration Console in Oracle WebLogic:
- After you log in to admin console, click Lock & Edit.
- In the left pane of the Console, under Domain Structure, select the domain name.
- Select Configuration > General, and click Advanced at the bottom of the page.
- Deselect Console Enabled.
- Click Save.
- To activate these changes, click Activate Changes.
- Restart Web Server.
Access to the IBM WebSphere Administration Console [EASSEC-PVAG-PS-14]
To view and configure WebSphere settings, use the web-based administrative console dubbed Integrated Solutions Console, which is based on the Integrated Solutions Console (ISC) framework, providing a consistent and integrated capability for administering IBM software.
To access ISC enter the following URL, where Administrative Console port is 9061:
If an attacker manages to log in under an administrative account, the entire defense system will fail. First, a malicious person can get useful information about the system for a further attack. Also, they can perform various administrative actions such as change system and security configurations. For instance, they can disable psft_failtimeout Java option (that limits the effectiveness of Denial of Service attacks on failed authentications) therefore, increases the chances of successful Sabotage. At worst, an attacker can remotely execute any command.
Best practice is to restrict access to WebSphere Integrated Solutions Console and other remote management interfaces. Also, it is recommended to change default logins and passwords.
To stop Integrated Solutions Console and its help system:
- On the system where Integrated Solutions Console is installed, open a command window.
- Issue the following command to stop the server:
- For Windows systems:
- For AIX, Linux, and Solaris systems:
If Integrated Solutions Console runtime has been installed on an external WebSphere Application Server, the above-mentioned commands should be executed from the bin folder of the Application Server.
- For Windows systems:
- Issue the following command to stop the help system:
- For Windows systems:
- For AIX, Linux, and Solaris systems: your_isc_root/PortalServer/ISCEclipse/StopEclipse.sh where your_isc_root is the root directory for your installation.
- For Windows systems:
In addition to the listed above, the system has other less critical and widespread services. Nonetheless, you should restrict access to them as well.
Furthermore, consider third-party services that may be enabled on this server, such as remote administration interfaces for various DBMS, remote monitoring and data backup systems, etc., the access to which must be restricted by using authentication both at the network and application levels, if possible.
Stay tuned, as soon we will come back with the next critical area.