Explore a comprehensive security analysis of Oracle's eBusiness Suite in this Black Hat conference talk. Delve into the vulnerabilities discovered by David Litchfield, including unauthenticated remote code execution flaws, SQL injection vulnerabilities, and Cross Site Scripting bugs. Learn about the weaknesses in both 11.5 and 12.x versions, with demonstrations of exploit techniques. Discover methods to secure eBusiness Suite implementations against these attacks, covering topics such as trusted.conf, PL/SQL Gateway, HR UTIL DISP WEB, and SYSTEM.AD_APPS PRIVATE. Gain insights into protecting large corporate systems using this widely-deployed product, and participate in a Q&A session to address specific security concerns.
Overview
Syllabus
Intro
Who Am I?
eBusiness Suite Overview
eBusiness Suite components
eBusiness Suite Vulnerabilities
Some 11.5 Issues
trusted.conf
PL/SQL Gateway
HR UTIL DISP WEB
display_fatal errors
Attack Sequence
ORACLESSWA
RUNFUNCTION
Arbitrary SQL
Some 12.x Issues
Many ways to skin a cat
JSP forwards
Auxiliary Inject Functions 1/2
Executing SQL as SYS
SQL Injection in SYSTEM.AD_APPS PRIVATE
Securing 12.x and 11.5
Specific to Securing 11.5
Securing eBusiness Suite
Questions?
Taught by
Black Hat
Related Courses
-
Using Burp to Test for the OWASP Top Ten
-
AutoSpear - Towards Automatically Bypassing and Inspecting Web Application Firewalls
-
Blended Web and Database Attacks on Real-Time, In-Memory Platforms
-
Cross-Site Escape - Pwning macOS Safari Sandbox the Unusual Way
-
Web Application Firewalls - Analysis of Detection Logic
-
Bug Bounty Training Lessons and Bug Bounty Tutorials
5.0
