Two Belgian security researchers have found a flaw with Oracle Access Manager (OAM) version 10g that 99 percent of the companies they checked on did not have properly configured thus leaving those organizations open to a specially crafted phishing attack.
The potential attack centers around what self-described ethical hacker Nabeel Ahmed called a Super Cookie or the ObSSOCookie. This cookie, when downloaded, is powerful and is related to the single sign on (SSO) implementations of OAM. Essentially, a Super Cookie is issued when a user attempts to gain access to a protected resource.
This flaw is due to the improper configuration of an OAM server by the host corporations, something Ahmed and his partner Tom Gillis found existed in 99 of the 100 companies investigated. Oracle informed the two researchers that mitigation simply requires that IT managers define SSODomains and directed them to these two websites.
"We found hundreds of hundreds of high profile organisation with the same misconfiguration, all of them exposed against session hijacking. We analyzed 100 high profile domains and only 1 was properly secured against this attack! Unfortunately we cannot share the domains that are affected, but if you look for it you'll be able to find them," he wrote.
The problem the researchers discovered is the request to obtain a Super Cookie is handled by a GET request, which has a number of weaknesses that can be exploited. This includes it being cached, remaining in the browser's memory or even bookmarked. All things one does not want when protecting sensitive data.
Ahmed outlined a basic road map of how one accesses an OAM server and obtains the Super Cookie via a GET request.
An authorized user queries the OAM server, the OAM server recognizes that the request is for data that requires authentication and directs the user to a login page. Then the OAM server sets an OAMREQ cookie identifying that end point as looking for data located at a specific website. Next, the login credentials are submitted and validated by the OAM server at which point the Super Cookie is sent via a GET request giving the user access. There is also an open redirect received by the user after submitting their credentials that also makes the system vulnerable.
With these operations completed, the users computer is now vulnerable to an attacker.
“Since we can control where the user has to go and since we also can read the cookie value that is coming from the user we can hijack his session. All we have to do is entice the victim to click on the link that we provide him and log in, since he's logging in on the real login portal we are not raising any suspicion. If the user is already logged-in we will get his cookie without a problem and the victim won't notice a thing,” Ahmed wrote.
This is accomplished through a phishing email where the victim is prodded into clicking on a link. At this point the person is redirected to the login page and asked to submit their credentials and then redirected again to the attackers malicious domain where the users cookie will be stolen. The attacker will use this cookie to log into the system.