Thursday, August 23, 2007
How Oracle ERP stores password
Most Oracle Applications 11i implementations are vulnerable to a significant security weakness in the encryption of passwords within the application where an insider may be able to circumvent all application controls by accessing any application account or obtain the APPS database account password.
The fundamental issue is that the Oracle Applications 11i application account passwords are stored in the database encrypted using the APPS database password as the encryption key rather than using a strong, one-way hash algorithm.
Oracle Applications 11i stores passwords in two tables: FND_USER and FND_ORACLE_USERID. The FND_USER table stores application user account passwords and the FND_ORACLE_USERID table stores internal Oracle Applications database account passwords. Both tables use the same encryption algorithm to protect the passwords.
FND_USER table has two columns which stores the password.
1) ENCRYPTED_FOUNDATION_PASSWORD --> stores APPS pasword encryped using userid/password as a key.
2) ENCRYPTED_FOUNDATION_PASSWORD --> stores the user password encrypted using APPS password as a key.
If you know the username/password and you have access to fnd_user table and know the java code which is used for encryption then you can get the APPS password of that system. And if you know APPS password you can get anyones application password.
Both the above mentioned columns can also store following values
1) External --> This is set if the oracle application is using the external system like "directory server" for authentication.
2) Invalid --> For oracle internal users this value will be set.
3) ZG_error (error message) --> If encryption fails due to some reason then error message will be stored in this column. User will not be able to authenticate in that case.
ORACLE APPLICATIONS LOGIN PROCESS
The general Oracle Applications login process involves the following general steps -
1. The ENCRYPTED_FOUNDATION_PASSWORD and ENCRYPTED_USER_PASSWORD are retrieved from FND_USER if the account exists and is active.
2. The APPS password is obtained from ENCRYPTED_FOUNDATION_PASSWORD by using the username and password as the decryption key.
3. The user password is decrypted from ENCRYPTED_USER_PASSWORD by using the APPS password as the decryption key.
4. The decrypted user password is compared to the entered user password.
If APPS password is changed then all the stored passwords are re-encrypted with the new APPS password. APPS password should be changed using either "Oracle Users" form or FNDCPASS utility.
Thanks to : http://www.integrigy.com/security-resources/whitepapers/Integrigy_Oracle_Apps_Password_Issue.pdf