Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Anatomy of ResponsibleDisclosureZ e r o D a y Vu ln e r a b i l i ty i n O r a c l e B IPublisherVis h a l K a lr o
AgendaMyth & Reality of Zero DayOracle BI Publisher and the Zero Day ExploitResponsible DisclosureThe Saga ContinuesQ&A   ...
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero D...
Myth & Reality of Zero DayZero Days are increasingly being used as Arsenal for Cyber warfare
Oracle BI Publisher
Oracle BI Publisher - Architecture    SourcesOracle SQL ServerPeoplesoft, Siebel                                          ...
Exploit Scenario    MaliciousUsers Created                Oracle BI                1   Admin authenticated to             ...
Responsible Disclosure
Lifecycle of Responsible Disclosure                                Continuous research on                                s...
The   Saga continues
News Bits on Zero Day Operation  Aurora               RSA Attack   2009                  2011                  And so on… ...
QUESTIONS ?              12
Prochain SlideShare
Chargement dans…5
×

Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

1 023 vues

Publié le

Oracle Business Intelligence (BI) Publisher is a reporting tool to manage and deliver reports. It can be integrated with various data sources like Oracle DB, Oracle BI, SQL server, PeopleSoft, Siebel, web services etc. to generate flexible reports in different layout types like Word, Excel, PDF etc.Oracle BI Publisher Enterprise 10.1.3.4.2 was vulnerable to a Zero Day Cross-Site Request Forgery (CSRF) security flaw whereby the attacker could force the authenticated user to perform malicious actions of interest to the attacker. In this case a successful exploitation of the administrator account could lead to malicious adding/deletion of users, malicious configuration for report delivery etc. This module being a reporting tool a successful exploitation of the CSRF vulnerability could severely affect the confidentiality, integrity and availability of data. Oracle had been very cooperative in acknowledging and addressing this issue. A patch for this vulnerability was released as part of their Critical Patch Update (CPU) on April 17 2012.

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

  1. 1. Anatomy of ResponsibleDisclosureZ e r o D a y Vu ln e r a b i l i ty i n O r a c l e B IPublisherVis h a l K a lr o
  2. 2. AgendaMyth & Reality of Zero DayOracle BI Publisher and the Zero Day ExploitResponsible DisclosureThe Saga ContinuesQ&A -2-
  3. 3. Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero DayZero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero DayZero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero DayZero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero DayZero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero DayZero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero DayZero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day VulnerabilityZero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero DayZero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero DayZero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero DayZero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero DayZero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero DayZero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero DayZero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day ZeroDay Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day 3
  4. 4. Myth & Reality of Zero DayZero Days are increasingly being used as Arsenal for Cyber warfare
  5. 5. Oracle BI Publisher
  6. 6. Oracle BI Publisher - Architecture SourcesOracle SQL ServerPeoplesoft, Siebel Email PDF Oracle BI Printer RTF Java, C++ Publisher HTML Fax Excel Repository XMLA SAP Templates Destination 1. MS Office O/P Web Services 2. PDF 3. XML I/P
  7. 7. Exploit Scenario MaliciousUsers Created Oracle BI 1 Admin authenticated to Publisher Application 4 Reports sent to 3 attacker Admin opens mail and clicks on malicious link Administrator 2 Attacker sends email with malicious link Attacker 7
  8. 8. Responsible Disclosure
  9. 9. Lifecycle of Responsible Disclosure Continuous research on security flaws and vulnerabilities Details of the Flaw are Vendor & Product published on Blogs, Info Sec companies have well sites, vendor sites etc. Research established communication and response mechanisms Secured channels 24x7 accessibility Lifecycle of Responsible DisclosureVendor develops the patchPatches are developed and The zero day vulnerabilities arereleased based on the communicatedseverity of the vulnerability Vendor Response Secured channels are used to communicate Vendor does preliminary analysis to confirm the bug Vendor communicates back to the researcher
  10. 10. The Saga continues
  11. 11. News Bits on Zero Day Operation Aurora RSA Attack 2009 2011 And so on… Stuxnet JRE & IE 2010 2012 11
  12. 12. QUESTIONS ? 12

×