PeopleSoft Security. Part 3: PeopleSoft SSO & TokenChpoken Attack
In the third part of the PeopleSoft Security series, we will describe how to log in under any account and gain full access to the PeopleSoft system.
What is PeopleSoft SSO and how does it work?
Like many other enterprise business applications, PeopleSoft supports various Single Sign-On technologies. SSO enables authentication into several systems by a single action: a user logs into one system manually and into others automatically.
PeopleSoft supports its own SSO implementation based on the PS_TOKEN cookie. Here is how it works:
1. User logs into the first PeopleSoft application;
2. PeopleSoft checks the user’s credentials. If successful, it returns the session cookie and the PS_TOKEN cookie to the user;
3. When the user tries to log into another PeopleSoft server, the browser automatically sends the PS_TOKEN;
4. The second PeopleSoft server receives the PS_TOKEN, parses it, and authenticates the user if the cookie is correct.
It is noteworthy that PS_TOKEN is the only element used by the servers to exchange authentications (they have no back-end connection) and it is transmitted via the client (because it’s a cookie).
There is an important term: Node. To put it simply, a node is a system participating in SSO. Any application is a separate node. One application may also contain several nodes. Each node must have a unique name.
Two settings are required to establish SSO between two servers. First, we have to specify the node name of each PeopleSoft server at the other PeopleSoft server. This is how it knows to trust the node with that name. Second, we have to give each node a Node Password which must be the same for all PeopleSoft servers.
Therefore, the PeopleSoft SSO is basically an implementation of the Pre-Shared Key technology.
There are more details about the PS_TOKEN format. Besides some additional technical fields at the beginning, it only has a few important values:
- UserID – name of the user who has logged in
- Lang – the user’s interface language
- Node Name – name of the node which has authenticated the user
- Date And Time – when the PS_TOKEN was issued
- Signature = SHA1_Hash (UserID + Lang + Node Name + Date And Time + Node Password)
When a server gets a PS_TOKEN, it decodes the cookie (PS_TOKEN is encoded by base64), joins the four values with its Node Password, takes a SHA1 hash and compares it to the Signature in the PS_TOKEN. If they are equal, then the cookie has not been modified, so the server authenticates the user under the User ID.
Does it really look very secure?
The only value in the Signature that the attacker does not already know is Node Password.
If they can find a way to get the Node Password, they can forge a PS_TOKEN cookie with any User ID value, and the Signature will be correct.
How does one get the Node Password, then?
Easily: if we have any PS_TOKEN, we can take all important values out of it, add various passwords, and hash the result. If the hash is equal to the PS_TOKEN Signature, we have guessed the Node Password.
I have written a tool called TokenChpoken which can parse, bruteforce, and recreate PS_TOKEN cookies. This attack may not seem dangerous enough as it only allows attacking systems where SSO is established, but there are two important nuances:
- Any PeopleSoft application has at least one default local node. It is the node of the system itself. And it always trusts itself.
- There are a lot of situations when an administrator has to set the node password for default node.
Thus, even if you have never configured SSO for your PeopleSoft and it is a standalone PeopleSoft server, somebody can still attack it in the same way because we will receive a PS_TOKEN after authentication.
Moreover, the problem with this attack is that we need a PeopleSoft user account. In other words, it is a classical privilege escalation attack. What do we do if we have no account?
PeopleSoft design has more secrets.
It’s impossible to have access to some resources of a PeopleSoft Portal without authentication, but sometimes it’s necessary. Imagine an HRMS portal exposed to the Internet that needs to allow anonymous users to see available jobs and fill in the application form. Another typical example is password recovery: this is also a part of the system that an anonymous user can connect to.
To solve such tasks, there is a special PeopleSoft user with minimal PeopleSoft privileges and it is configured to log in automatically. So, if someone with no user account visits the anonymous PeopleSoft application functionality, PeopleSoft will automatically authenticate them as that special user, and a PS_TOKEN cookie will also be issued.
To sum up, we can attack a lot of PeopleSoft applications without any credentials.
Furthermore, PeopleSoft SSO is also used in other Oracle applications like JD Edwards. This allows attacking them under certain circumstances, too.
How to defend your PeopleSoft system:
- Disable SSO completely (but very often it’s impossible because a part of PeopleSoft will not work at all)
- Set up a very complex Node Password (max 24 symbols)
- Use certificates instead of Node Passwords