Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo
description
Transcript of Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo
![Page 1: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo](https://reader035.fdocuments.us/reader035/viewer/2022062616/5497b134b479596a4d8b5283/html5/thumbnails/1.jpg)
Zero Day Vulnerabi l i ty in Oracle BI Publ isher
Vishal Kalro
Anatomy of Responsible Disclosure
![Page 2: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo](https://reader035.fdocuments.us/reader035/viewer/2022062616/5497b134b479596a4d8b5283/html5/thumbnails/2.jpg)
- 2 -
Agenda
Myth & Reality of Zero Day
Oracle BI Publisher and the Zero Day Exploit
Responsible Disclosure
The Saga Continues
Q & A
![Page 3: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo](https://reader035.fdocuments.us/reader035/viewer/2022062616/5497b134b479596a4d8b5283/html5/thumbnails/3.jpg)
Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day Zero Day 3
Zero Day Vulnerability
![Page 4: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo](https://reader035.fdocuments.us/reader035/viewer/2022062616/5497b134b479596a4d8b5283/html5/thumbnails/4.jpg)
Zero Days are increasingly being used as Arsenal for Cyber warfare
Myth & Reality of Zero Day
Always Existed
Known When Exploited
No Alien Science
Affects - Corporates & End users
![Page 5: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo](https://reader035.fdocuments.us/reader035/viewer/2022062616/5497b134b479596a4d8b5283/html5/thumbnails/5.jpg)
Oracle BI Publisher
![Page 6: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo](https://reader035.fdocuments.us/reader035/viewer/2022062616/5497b134b479596a4d8b5283/html5/thumbnails/6.jpg)
1. MS Office2. PDF3. XML
Templates
Oracle BI Publisher - Architecture
Oracle BI Publisher
Sources
Oracle SQL Server
Peoplesoft, Siebel
Java, C++
SAP
Web Services
I/P
PDFRTFHTMLExcelXMLA
O/P
EmailPrinter
Fax
Repository
Destination
![Page 7: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo](https://reader035.fdocuments.us/reader035/viewer/2022062616/5497b134b479596a4d8b5283/html5/thumbnails/7.jpg)
7
Admin authenticated to Application
1Oracle BI Publisher
Administrator
Attacker
2 Attacker sends email with malicious link
3
Admin opens mail and clicks on
malicious link
Malicious Users Created
Reports sent to
attacker
Exploit Scenario
4
![Page 8: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo](https://reader035.fdocuments.us/reader035/viewer/2022062616/5497b134b479596a4d8b5283/html5/thumbnails/8.jpg)
Responsible Disclosure
![Page 9: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo](https://reader035.fdocuments.us/reader035/viewer/2022062616/5497b134b479596a4d8b5283/html5/thumbnails/9.jpg)
Lifecycle of Responsible Disclosure
Com
mun
icatio
n
Vendor Response
Vendor Response
teams
Patch ReleasePublic
Disclosure
Research
Continuous research on security flaws and vulnerabilities
Vendor & Product companies have well established communication and response mechanismsSecured channels24x7 accessibility
The zero day vulnerabilities are communicatedSecured channels are used to communicate
Vendor does preliminary analysis to confirm the bugVendor communicates back to the researcher
Vendor develops the patch Patches are developed and released based on the severity of the vulnerability
Details of the Flaw are published on Blogs, Info Sec sites, vendor sites etc.
Lifecycle of Responsible Disclosure
![Page 10: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo](https://reader035.fdocuments.us/reader035/viewer/2022062616/5497b134b479596a4d8b5283/html5/thumbnails/10.jpg)
The Saga continues
![Page 11: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo](https://reader035.fdocuments.us/reader035/viewer/2022062616/5497b134b479596a4d8b5283/html5/thumbnails/11.jpg)
11
News Bits on Zero Day
Operation Aurora2009
Stuxnet2010
RSA Attack 2011
JRE & IE 2012
And so on…
![Page 12: Anatomy of a Responsible Disclosure Zero Day Vulnerability in Oracle BI Publisher by Vishal Karlo](https://reader035.fdocuments.us/reader035/viewer/2022062616/5497b134b479596a4d8b5283/html5/thumbnails/12.jpg)
QUESTIONS ?
12