Oracle Property Management Platform remote command execution and the cardholder data is decrypted vulnerability analysis-vulnerability warning-the black bar safety net

Recently, I found that in some large business hotel, the reception data management system of Oracle Opera in the presence of a plurality of security vulnerabilities. Hackers can exploit these vulnerabilities, the hotel booking App mentioning the right to get higher user usage rights; at the same time also be able to enter the property management of the network back-end database and theoperating system, the implementation of RCE attacks. Attackers exploit these vulnerabilities, can be in the unauthenticated case, into the Oracle of the Opera database system, to steal property the customer’s identity information, telephone numbers and other privacy data. It is reported that the Oracle of Oracle has got a vulnerability related reports in a timely manner to vulnerability fixes, and released a vulnerability report, which describes in detail the vulnerability of the specific situation. [Reports portal]

Oracle Opera system introduction
Oracle Opera, also known as Opera PMS, formerly known as Micros Opera by Oracle subsidiary of Micros is the global range of each large business hotel tailored to a hotel’s front Deskoperating system. It can be for the hotel management and staff to provide comprehensive, systems management tools, so that it can quickly and efficiently process customer information, customer reservation, check-in check-out, room allocation, facilities management, and account billing management and other daily work. Hyatt（Hyatt, the Hilton and other Global well-known hotel Use are Opera PMS operating system.
!
In customer to complete the payment process, the app will be the customer’s Bank card-related information, including: PAN-code credit card account number, expiration date, cardholder name, etc., stored in the system’s backend database. Currently, the relevant security personnel have been disclosed in the 3 kinds of to be able to enter the back-end database of the attack. Once the attacker got the database login permissions, he will be able to steal and decrypt which to save the privacy of the data.
After analysis I found that the user data was would be subjected to hackers, the problem is mainly in Opera PMS system itself and with the user independent of the operation; at the same time, if using only black-box testing is not only to determine the vulnerability of nature. Unlike the previous vulnerability solutions provider to the vulnerability report, and through the internal test method fix the vulnerability, since the Opera PMS system supplier to the majority of users to provide detailed solutions, which would give hackers the Opera PMS system to create a huge space. The attacker easily identifying the software defects, and its legality analysis and testing. After the corresponding dynamic analysis and static analysis, the attacker will be able to find“into”the system database is the best starting point.
! [](/Article/UploadPic/2016-12/20161222205841426. png? www. myhack58. com)
Vulnerability details the
No. 1 CVE-2016-5665:steal the system log file, the implementation of session hijacking
! [](/Article/UploadPic/2016-12/20161222205841284. png? www. myhack58. com)
In the user login Oracle Opera system, they can select one of the system interface for the interactive session. Start which interface the request contains the user’s session token, a specific interface startup parameters and other relevant information.
! [](/Article/UploadPic/2016-12/20161222205841695. png? www. myhack58. com)
There is a problem, namely: since the system will be used to implement user interaction with the session token and other parameters are placed in a directory file, and hack in the unauthenticated case, be able to passthe Web serverto access the file. This is a threat.
! [](/Article/UploadPic/2016-12/20161222205841192. png? www. myhack58. com)
And the hackers need to do is“sit back and wait”, wait a bit to have System Administrator user login Opera. To be the user login is successful, he will be available via the app, get all of the system’s operating authority, on which the data for any operation. Because the system administrator has a higher system permissions to the data in the database to query, modify and delete and other important operations. Once the attacker got the admin permissions, then data leakage cannot be avoided.
! [](/Article/UploadPic/2016-12/20161222205841200. png? www. myhack58. com)
It should be noted that attackers tend not to use the above methods to steal user information, because it is too slow and not enough“safe”, easy to see through. The system will be user-submitted each query statement stored in the application layer. Compared to the use of Oracle Form to provide the user interaction interface, directly with the database server to establish a connection much faster, you can improve efficiency.
No. 2 CVE-2016-5664:an attacker can leak the system database credential information
If the attacker and the database server share a network, then he can construct a database connection string the way, steal the database credentials. Because in Oracle the Opera system, the database credentials and the service name and other information, through the system to the server to send an already validated the HTML of the request returned, to enable the Oracle Forms software. The attacker in the execution of an unauthenticated Servlet program, you can get the database server’s host name.

[1] [2] [3] next