TockenChpoken - a cookie manipulation attack in Oracle PeopleSoft
Background
There were times when our team performing a pentest and found several organisations that were using Oracle PeopleSoft for their Human Resources (majorly) purpose. In addition to the common weak/default accounts weakness, our team decided to look for other weaknesses. Thus we did a bit of reading about attack vectors that may be less known against this product and found a presentation by Alexey Tiurin at Hack in The Box 2015, Oracle PeopleSoft applications are under attacks!
One of the vulnerabilities shared in this presentation was a manipulation PS_TOKEN in the PeopleSoft application which could lead to a privilege escalation issue.
Interesting.
Discovery
Our team then started to look around on our customers’ assets and available bugbounty programs that have Oracle PeopleSoft as one of their in-scope target. We found several, but we tested few and one of them was vulnerable to this PS_TOKEN cookie manipulation dubbed, TockenChpoken.
The attack
In general, we need to perform the following in order to succeed in manipulating the token.
From an unauthorised user perspective or from a low-level user access, grab the
PS_TOKENObtain all necessary values plus with the signature from the base64 encoded cookie.
Brute-force the
PS_TOKENIf the brute-force is a success, then we can generate our own
PS_TOKEN
We used a plugin for Burp Suite named, PeopleSoft Token Extractor to help us with collecting the token and extracting the necessary information.
We authenticated with a guest access user and captured the PS_TOKEN. The cookie was send to the PeopleSoft Token Extractor for the next steps.
From the tab, we decoded the content and this plugin helped us to extract the necessary information and generate the hashcat format that needs to be cracked.
The following image shows that the current cookie session was belong to a XXX-GUEST user.
The generated SHA-1 hash was then being brute-forced using our cracking-server that internally we called it as Crackcodile.
Crackcodile managed to crack the password within 5 minutes. Results may vary depending on the wordlist and server specifications.
Using the cracked value, we sent it back to the PeopleSoft Token Extractor tab and generated a new token for a new high privileged user in Oracle PeopleSoft such as the PeopleSoft SuperUser = PS.
With the new generated PS_TOKEN for the SuperUser account, we managed to access the restricted directories such as HRMS and etc.
Easy.
We were awarded a handsome amount for this.