Oracle Business Intelligence (BI) Publisher is a reporting tool to manage and deliver reports. It can be integrated with various data sources like Oracle DB, Oracle BI, SQL server, PeopleSoft, Siebel, web services etc. to generate flexible reports in different layout types like Word, Excel, PDF etc.Oracle BI Publisher Enterprise 10.1.3.4.2 was vulnerable to a Zero Day Cross-Site Request Forgery (CSRF) security flaw whereby the attacker could force the authenticated user to perform malicious actions of interest to the attacker. In this case a successful exploitation of the administrator account could lead to malicious adding/deletion of users, malicious configuration for report delivery etc. This module being a reporting tool a successful exploitation of the CSRF vulnerability could severely affect the confidentiality, integrity and availability of data. Oracle had been very cooperative in acknowledging and addressing this issue. A patch for this vulnerability was released as part of their Critical Patch Update (CPU) on April 17 2012.
2. Agenda
Myth & Reality of Zero Day
Oracle BI Publisher and the Zero Day Exploit
Responsible Disclosure
The Saga Continues
Q&A
-2-
3. Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day
Zero Day Vulnerability
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero
Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day 3
4. Myth & Reality of Zero Day
Zero Days are increasingly being used as Arsenal for Cyber warfare
6. Oracle BI Publisher - Architecture
Sources
Oracle SQL Server
Peoplesoft, Siebel
Email
PDF
Oracle BI Printer
RTF
Java, C++ Publisher HTML Fax
Excel Repository
XMLA
SAP
Templates
Destination
1. MS Office
O/P
Web Services 2. PDF
3. XML
I/P
7. Exploit Scenario
Malicious
Users Created Oracle BI 1 Admin authenticated to
Publisher Application
4
Reports
sent to 3
attacker Admin opens mail and
clicks on malicious
link
Administrator
2 Attacker sends email with
malicious link
Attacker
7
9. Lifecycle of Responsible Disclosure
Continuous research on
security flaws and
vulnerabilities
Details of the Flaw are Vendor & Product
published on Blogs, Info Sec companies have well
sites, vendor sites etc. Research established communication
and response mechanisms
Secured channels
24x7 accessibility
Lifecycle of Responsible
Disclosure
Vendor develops the patch
Patches are developed and
The zero day vulnerabilities are
released based on the
communicated
severity of the vulnerability
Vendor Response Secured channels are used to
communicate
Vendor does
preliminary analysis to
confirm the bug
Vendor communicates
back to the researcher