Oracle MICROS POS breached again

The security issue of POS systems is nothing new. Breaches in point-of-sale payment terminals have already been highlighted in the media. Taking into consideration that this device is connected with personal information, orders and card details, small wonder that it often becomes a hacker’s coveted choice. What matters here is that in 2016, Oracle MICROS was breached and now perpetrators show greater interest in POS systems.

Oracle MICROS POS vulnerability

Our aim as specialists of business applications security as well as critical systems that are prone to fraud is to identify vulnerabilities before hackers exploit them. In September 2017, a security researcher Dmitry Chastuhin (aka @_chipik) from our security team found an Oracle MICROS POS vulnerability (CVE-2018-2636). It was fixed in its CPU January 2018.

According to the Oracle CPU, CVE-2018-2636 acquired 8.1 CVSS v3 score. It means that the security issue is dangerous and must be patched primarily or an attacker will be able to read any file and receive information about various services without authentication from a vulnerable MICROS workstation.

MICROS POS systems exposed to the Internet
A number of MICROS POS systems exposed to the Internet

CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service. In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.

So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise.

If you believe that gaining access to POS URL is a snap, bear in mind that hackers can find digital scales or other devices that use RJ45, connect it to Raspberry PI, and scan the internal network. That is where they easily discover a POS system. Remember this fact when you pop into a store.

Furthermore, you can search for this URL on the Internet. Shodan can show you at least 170 systems available online.

Digital scales
Digital scales with RJ45 free access

Exploitation

An example of a vulnerable URL in the test MICROS server
An example of a vulnerable URL in the test MICROS server

In the picture above you see an example of a vulnerable URL in our test MICROS server. This URL is subject to CVE-2018-2636. After sending a malicious request, for example, the request to read SeviceHost.xml file, the vulnerable MICROS server sends back a special response with the SeviceHost.xml contents.

Response of vulnerable MICROS server opened in text editor

Although this vulnerability was closed not so long ago, you still can find it in a lot of MICROS POS systems. So, you can use our script in order to be sure that your environment has no such vulnerabilities.

Protection

If you want to secure your system from cyberattacks, you have to persistently implement all security patches provided by your vendor. In our case, refer to Oracle CPU January 2018.

However, this news definitely should not be seen as the light at the end of the tunnel as there might be other vulnerabilities in POS systems that must be disclosed. Several examples of POS attacks confirm this fact.

Last November, the representatives of Forever 21 store chain confirmed a breach in their point-of-sale system that resulted in credit card data leakage. Its volume remained undisclosed.

Point-of-sale terminals are elements that an average person deals with regularly in everyday life. It makes this sphere especially important and encourages paying extra attention and taking necessary security measures.

Find out more about it in our whitepaper “GET TO THE MONEY: HACKING POS AND POP SYSTEMS” that covers recent POS vulnerabilities in the systems of another vendor – SAP.

The post Oracle MICROS POS breached again appeared first on ERPScan.



This is a Security Bloggers Network syndicated blog post authored by Research Team. Read the original post at: Blog – ERPScan