CVE-2018-2879 – Vulnerability in Oracle Access Manager can let attackers impersonate any user account

Security researchers have discovered a security vulnerability in Oracle Access Manager that can be exploited by a remote attacker to bypass the authentication and take over the account of any user.

Security researcher Wolfgang Ettlinger from SEC Consult Vulnerability Lab has discovered a security vulnerability in Oracle Access Manager that can be exploited by a remote attacker to bypass the authentication and take over the account of any user or administrator on affected systems.

Oracle Access Management provides Web SSO with MFA,  coarse-grained authorization and session management, and standard SAML Federation and OAuth capabilities to enable secure access to mobile applications and external cloud.

The flaw, tracked as CVE-2018-2879, relates a flawed cryptographic format used by the Oracle Access Manager.

“The Oracle Access Manager is the component of the Oracle Fusion Middleware that handles authentication for all sorts of web applications,” SEC Consult researcher Wolfgang Ettlinger explained.

“we will demonstrate how minor peculiarities of the cryptographic implementation had a real-life impact on the security of the product. By exploiting this vulnerability we were able to fabricate arbitrary authentication tokens, allowing us to impersonate any user and effectively break the main functionality of OAM.”

Ettlinger explained that an attacker can exploit a vulnerability in the way OAM handles encrypted messages to trick the software into accidentally disclosing information that can be used to log in impersonating other users.

The attacker can power a padding oracle attack to disclose an account’s authorization cookie, he can create a script that generates valid login keys for any desired user, including administrators.

“During a research project, we found that a cryptographic format used by the OAM exhibits a serious flaw. By exploiting this vulnerability, we were able to craft a session token. When a WebGate is presented with this token, it would accept it as a legitimate form of authentication and allow us to access protected resources.” explained the expert.

 “What’s more, the session cookie crafting process lets us create a session cookie for an arbitrary username, thus allowing us to impersonate any user known to the OAM.”

The following video PoC shows that an attacker can impersonate arbitrary users by triggering the flaw.

 

To read the original article

https://securityaffairs.co/wordpress/72097/hacking/oracle-access-manager-flaw.html

 

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *