Download pptx - Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

Transcript
Page 1: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

Zero Day Vulnerabi l i ty in Oracle BI Publ isher

Vishal Kalro

Anatomy of Responsible Disclosure

Page 2: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

- 2 -

Agenda

Myth & Reality of Zero Day

Oracle BI Publisher and the Zero Day Exploit

Responsible Disclosure

The Saga Continues

Q & A

Page 3: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day 3

Zero Day Vulnerability

Page 4: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

Zero Days are increasingly being used as Arsenal for Cyber warfare

Myth & Reality of Zero Day

Always Existed

Known When Exploited

No Alien Science

Affects - Corporates & End users

Page 5: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

Oracle BI Publisher

Page 6: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

1. MS Office2. PDF3. XML

Templates

Oracle BI Publisher - Architecture

Oracle BI Publisher

Sources

Oracle SQL Server

Peoplesoft, Siebel

Java, C++

SAP

Web Services

I/P

PDFRTFHTMLExcelXMLA

O/P

EmailPrinter

Fax

Repository

Destination

Page 7: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

7

Admin authenticated to Application

1Oracle BI Publisher

Administrator

Attacker

2 Attacker sends email with malicious link

3

Admin opens mail and clicks on

malicious link

Malicious Users Created

Reports sent to

attacker

Exploit Scenario

4

Page 8: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

Responsible Disclosure

Page 9: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

Lifecycle of Responsible Disclosure

Com

mun

icatio

n

Vendor Response

Vendor Response

teams

Patch ReleasePublic

Disclosure

Research

Continuous research on security flaws and vulnerabilities

Vendor & Product companies have well established communication and response mechanismsSecured channels24x7 accessibility

The zero day vulnerabilities are communicatedSecured channels are used to communicate

Vendor does preliminary analysis to confirm the bugVendor communicates back to the researcher

Vendor develops the patch Patches are developed and released based on the severity of the vulnerability

Details of the Flaw are published on Blogs, Info Sec sites, vendor sites etc.

Lifecycle of Responsible Disclosure

Page 10: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

The Saga continues

Page 11: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

11

News Bits on Zero Day

Operation Aurora2009

Stuxnet2010

RSA Attack 2011

JRE & IE 2012

And so on…

Page 12: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo

QUESTIONS ?

12


Recommended

Određivanje vremena transporta sveže asfaltne mešavine primenom Monte Karlo metode
Određivanje vremena transporta sveže asfaltne mešavine primenom Monte Karlo metode Documents
Rastoke Croatia by Karlo
Rastoke Croatia by Karlo Travel
Chapter 4 Computer Organization Vishal Shah Vishal Pinto
Chapter 4 Computer Organization Vishal Shah Vishal Pinto Documents
Franusic karlo discussion4
Franusic karlo discussion4 Documents
Karlo Veliki – ujedinitelj Europe - NSK
Karlo Veliki – ujedinitelj Europe - NSK Documents
Javantura v2 - Story asynchronous Spring servlets about - Karlo Novak
Javantura v2 - Story asynchronous Spring servlets about - Karlo Novak Technology
Vishal Goswami
Vishal Goswami Documents
IndustrialRelations vishal
IndustrialRelations vishal Documents
Grand C4 Spacetourer - Citroën - Karlo Motors
Grand C4 Spacetourer - Citroën - Karlo Motors Documents
Vive vishal
Vive vishal Design
KARLO - MSID Internship Presentation
KARLO - MSID Internship Presentation Documents
Stress.docx Vishal
Stress.docx Vishal Documents
Vishal News
Vishal News Documents
Trebevic Vegetation Karlo F.J. Maly - List
Trebevic Vegetation Karlo F.J. Maly - List Documents
Karlo Mila. ‘On Joining Pasifika ’
Karlo Mila. ‘On Joining Pasifika ’ Documents
Car Karlo V. Habsburški (1550.-1558.)
Car Karlo V. Habsburški (1550.-1558.) Documents
Vishal Kaushik
Vishal Kaushik Documents
Vishal Puri
Vishal Puri Documents