Oracle MICROS POS breached again

The security issue of POS systems is nothing new. Breaches in point-of-sale payment terminals have already been highlighted in the media. Taking into consideration that this device is connected with personal information, orders and card details, small wonder that it often becomes a hacker’s coveted choice. What matters here is that in 2016 Oracle MICROS was breached and now perpetrators show greater interest in POS systems.

Oracle MICROS POS vulnerability

As specialists of business applications security and critical systems, which are prone to fraud, we aim to identify vulnerabilities before hackers exploit them. In September 2017, a researcher Dmitry Chastuhin (aka @_chipik) from our security team found an Oracle MICROS POS vulnerability (CVE-2018-2636). It was fixed in its CPU January 2018.

According to the Oracle CPU, CVE-2018-2636 acquired 8.1 CVSS v3 score. It means that the security issue is dangerous and must be patched primarily; otherwise, an attacker will be able to read any file and receive information about various services without authentication from a vulnerable MICROS workstation.

MICROS POS systems exposed to the Internet
A number of MICROS POS systems exposed to the Internet

CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service. In case an insider has access to the vulnerable URL, they can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.

So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of exploitation, leading to the compromise of the entire MICROS system.

If you believe that gaining access to POS URL is a snap, bear in mind that hackers can find digital scales or other devices that use RJ45, connect them to Raspberry PI, and scan the internal network. That is where they easily discover a POS system. Remember that when you pop into a store.

Furthermore, you can search for this URL on the Internet. Shodan can show you at least 170 systems available online.

Digital scales
Digital scales with RJ45 free access

Exploitation

An example of a vulnerable URL in the test MICROS server
An example of a vulnerable URL in the test MICROS server

In the picture above, you can see an example of a vulnerable URL in our test MICROS server. This URL is subject to CVE-2018-2636. After sending a malicious request, for example, a request to read SeviceHost.xml file, the vulnerable MICROS server sends back a special response with the SeviceHost.xml contents.

Response of vulnerable MICROS server opened in text editor

Although this vulnerability was closed not so long ago, you still can find it in a lot of MICROS POS systems. So, you can use our script to make sure that your environment has no such vulnerabilities.

Protection

If you want to secure your system from cyberattacks, you have to persistently implement all security patches provided by your vendor. In our case, refer to Oracle CPU January 2018.

However, these news definitely should not be seen as a light at the end of the tunnel. There might be other vulnerabilities in POS systems, which must be disclosed. Several examples of POS attacks confirm that.

Last November, the representatives of Forever 21 store chain confirmed a breach in their point-of-sale system that resulted in credit card data leakage. Its volume remained undisclosed.

Point-of-sale terminals are elements that an average person deals with in everyday life. It makes this sphere especially important and encourages paying extra attention and taking necessary security measures.

Find out more about it in our whitepaper “GET TO THE MONEY: HACKING POS AND POP SYSTEMS”, which covers recent POS vulnerabilities in the systems of another vendor – SAP.

Do you want more?

Subscribe me to your mailing list