Formula Injection Vulnerability in Oracle PeopleSoft Enterprise

INTRODUCTION

PeopleSoft is an e-business software product line owned by Oracle®. Oracle PeopleSoft originally offered human resources and finance applications. Over the years, it has added tools and applications for general business processes, such as materials management, and applications for specific industries, such as the automotive, communications, and higher-education fields. PeopleSoft provides users with an integrated ERP software package that assists in the day-to-day execution of various business operations. PeopleSoft applications are used by human resource departments in large corporations. These applications include human resource management systems (HRMS), customer relationship management (CRM), financials, and supply chain management (FSCM), and enterprise performance management (EPM).

 eSecForte Technologies Security Researcher – TARUN  SEHGAL found a Formula Injection – Query vulnerability in the Oracle PeopleSoft Enterprise PeopleTools affecting versions 8.56, 8.57 & 8.58 and it has been assigned CVE-2020-2782 by the MITRE

Description: A Formula Injection (or Spreadsheet Formula Injection) a vulnerability affects applications that export spreadsheet files that are dynamically constructed from inadequately validated input data. Once injected, it affects application end-users that access the application exported spreadsheet files. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.

Platform/Product: PeopleSoft Enterprise PeopleTools – Affected versions 8.56, 8.57 & 8.58

Vulnerability Name: Oracle Peoplesoft Enterprise PeopleTools (HRMS) allows Formula Injection Vulnerability

Affected Component: Oracle Peoplesoft Enterprise PeopleTools (HRMS) – Query

Attack Type: Local

Impact: Successful exploitation of formula injection vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Moreover if exploited, this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools.

A possible attack scenario is demonstrated below

  • Hijacking the user’s computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524
  • Hijacking the user’s computer by exploiting the user’s tendency to ignore security warnings in spreadsheets that they downloaded from their own website
  • Exfiltrating contents from the spreadsheet, or other open spreadsheets.

Recommendation:

This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. Following are the remediations that can be applied

  • Ensure that no cells begin with any of the following characters:

Equals to (“=”)

Plus (“+”)

Minus (“-“)

At (“@”)

 

  • The developers can add apostrophe (‘) in the beginning of the cell containing such characters. Adding apostrophe (‘) tells excel that the cell doesn’t contain formula and on viewing the MS Excel do not display apostrophe (‘) when entered as first character in the cell.

Method of Exploitation

Steps to Reproduce #:-

  1. Login to the Oracle PeopleSoft Enterprise PeopleTools – HRMS application with valid credentials.
OraclePeopleSoft

2. Navigate to Workforce Administration à Personal Information à Modify a Person and click Search to display the user profile.

Oracle Peoplesoft
Oracle Peoplesoft
Oracle Peoplesoft

3. Now change the name of user with malicious CSV injection payload and Save.

Oracle Peoplesoft
Oracle Peoplesoft

4. Navigate to Reports à Administration à Reimbursement Reportsà Employee telephone details as shown below:

oracle Peoplesoft
oracle Peoplesoft

5. Click CSV text file to download the file. When user open the file, CSV injection payload will execute after clearing the warning by Microsoft excel as shown below:

Formula Injection

6. Click Yes 5 times. This will open 5 command prompt windows in user system and CMD will start pinging the com as shown in the below screenshot.

[Disclosure Process]

  1. Reported the Vulnerability to the Vendor Security or PSIRT Team
  2. Acknowledged confirmed from the Vendor that vulnerability exist
  3. CVE has been filed in NVD
  4. Vendor confirm that the vulnerability is fixed or a latest version, patch is released
  5. Vulnerability disclosed to the public

[Reference]      
https://www.oracle.com/security-alerts/cpuapr2020.html

[Has vendor confirmed or acknowledged the vulnerability?]
Yes        

[Discoverer]                                                                                                      

TARUN  SEHGAL from eSecForte Technologies Pvt Ltd https://www.esecforte.com/