Zero Day Vulnerabi l i ty in Oracle BI Publ isher
Vishal Kalro
Anatomy of Responsible Disclosure
- 2 -
Agenda
Myth & Reality of Zero Day
Oracle BI Publisher and the Zero Day Exploit
Responsible Disclosure
The Saga Continues
Q & A
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day 3
Zero Day Vulnerability
Zero Days are increasingly being used as Arsenal for Cyber warfare
Myth & Reality of Zero Day
Always Existed
Known When Exploited
No Alien Science
Affects - Corporates & End users
Oracle BI Publisher
1. MS Office2. PDF3. XML
Templates
Oracle BI Publisher - Architecture
Oracle BI Publisher
Sources
Oracle SQL Server
Peoplesoft, Siebel
Java, C++
SAP
Web Services
I/P
PDFRTFHTMLExcelXMLA
O/P
EmailPrinter
Fax
Repository
Destination
7
Admin authenticated to Application
1Oracle BI Publisher
Administrator
Attacker
2 Attacker sends email with malicious link
3
Admin opens mail and clicks on
malicious link
Malicious Users Created
Reports sent to
attacker
Exploit Scenario
4
Responsible Disclosure
Lifecycle of Responsible Disclosure
Com
mun
icatio
n
Vendor Response
Vendor Response
teams
Patch ReleasePublic
Disclosure
Research
Continuous research on security flaws and vulnerabilities
Vendor & Product companies have well established communication and response mechanismsSecured channels24x7 accessibility
The zero day vulnerabilities are communicatedSecured channels are used to communicate
Vendor does preliminary analysis to confirm the bugVendor communicates back to the researcher
Vendor develops the patch Patches are developed and released based on the severity of the vulnerability
Details of the Flaw are published on Blogs, Info Sec sites, vendor sites etc.
Lifecycle of Responsible Disclosure
The Saga continues
11
News Bits on Zero Day
Operation Aurora2009
Stuxnet2010
RSA Attack 2011
JRE & IE 2012
And so on…
QUESTIONS ?
12
Recommended