Friday, January 22, 2016

Backdoor in Hyperion CSSAPI or how to change Administrator password

        Some words about security in CSSAPI

Shared Services API allows user to work with Users and Group directory, changing security. Simply look at CSSDirectoryManagementAPIIF. It has plenty functions which you can use for integration projects and security.
You may ask: what do I need to get access to the CSSDirectoryManagementAPIIF?
Answer: nothing special


1
2
3
4
Map context = new HashMap();
CSSSystem system = CSSSystem.getInstance();
CSSAPIIF cssApi = system.getCSSAPI();
CSSDirectoryManagementAPIIF cssDirectory  = cssApi.getDirectoryManagementAPI(context);

That is all, no authentication requires.
But...  if we compare to versions of CSSAPI 9.3 and 9.5. All methods in 9.5 API require new parameter:  CSSPrincipalIF - it identifying the user requesting information. Cannot be null.
for example:

1
getUsers(java.util.Map context,CSSPrincipalIF principal,java.lang.String userName)

Old method from CSSAPI are deprecated. 
     Let's try to get admin access without identifying. Old functions are deprecated but we can call it
This method returns user by it login. At the end we need simply check array lengths and set new password:


1
2
3
if(userArr.length==1)
 cssDirectory.setPassword(context,userArr[1].getPrincipal(),
   userArr[1].getPrincipal().getIdentity,"newpassword");


As you notice we use setPassword method. It requires not null  CSSPrincipalIF for identifying, but we passed admin user Principal instead =) And successfully changed password for admin user without any authentication!

Summary

Obviously, it is a security issue, but it is not easy to use it, because you need to get reg.properties file with database access configuration and Hyperion EPM is a system for private networks, therefore external security is not on the first place for developers


P.S.  I tested this methods on Hyperion EPM 11.1.2.3.+ , 11.1.2.4


Posted by at No comments:

Saturday, January 2, 2016

Using Hyperion CSSAPI from remote desktop (EPM 11.1.2.3.x-11.1.2.4.x )

Introduction

 CSSAPI is very interesting tool for me, because I'm a java developer and possibility of  using Java library allows to create more flexible integration solution. I have to create an extension for Hyperion Planning in last project which uses an integrated security with Shared Service. I used CSSAPI in my previous projects, but it only used authentication module, therefore I could easy debug and test it using mock libraries and then deploy it on the HSS server. But now I have to maintain user and groups, therefore I need a direct access to Hyperion Shared Services from my desktop where my IDE installed ).

Solution

I have read many posts about connecting to HSS through CSSAPI but some of it were deprecated (used older version of CSS API), other didn't contains full dependency list for CSSAPI..

What do you need at desktop?

1. Required  jars 
All documents and posts advice to add epm_j2se.jar  and css.jar to CLASSPATH  and everything will fine. I get all library dependencies from epm_j2se.jar  and get  approximately 200 jar files  , oh its not good, therefore a remove all unused jar and get minimum library list for CSSAPI.
These jars from the Hyperio EPM (required minimum to exclude java.lang.ClassNotFoundException ) :
Some libraries may have other versions...




2. Environment 
CSSAPI need EPM_ORACLE_HOME,EPM_ORACLE_INSTANCE  for example:
EPM_ORACLE_HOME=c:\Oracle\Middleware\EPMSystem11R
EPM_ORACLE_INSTANCE=c:\Oracle\Middleware\user_projects\epmsystem1
  variables, or you will get exception

3. Configuration file
(for EPM 11.1.2.3.x)   Copy configuration  file from EPM server to desktop in the specified location
%EPM_ORACLE_INSTANCE%\..\config\foundation\11.1.2.0\reg.properties
This file contains configuration for JDBC connection to EPM Registry
It is possible to get configuration file from URL /interop/framework/getCSSConfigFile but
only in previous CSS.jar version.
This method is deprecated in CSS.jar 11.1.2.3.500




Therefore configuration file is required.

Try №1

lets try to execute simple code, which gets instance for CSSSystem

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
private CSSSystem  cssSystem=null;
private HashMap localContext=new HashMap(2);
public void main(String[] args)
{

    try
    { 
          cssSystem=CSSSystem.getInstance(localContext,System.getenv("EPM_ORACLE_HOME")+"../logs");
     }catch(CSSException e)
     {
           e.printStackTrace();
     }
}
After run I got an error:
 EPMCSS-00001: Failed to initialize EPM Shared Services security instance. Component SYSTEM9/FOUNDATION_SERVICES_PRODUCT/SHARED_SERVICES_PRODUCT is null in EPM System Registry. Verify EPM System Registry configuration.

It means that CSSAPI can't get data from Shared Services DB, usually in cause of  wrong database connection configuration in reg.properties file (user credentials or server name ). But after debuging I excluded these reason and could not determine error origin.
At last I've got it...

Try №2

The reason was in sql jdbc driver, which Hyperion EPM uses from version 11.1.2.3.
It is an weblogic.jdbc (in my case weblogic.jdbc.sqlserver.SQLServerDriver)
These drivers have limitation, and can't be used on remote desktop...


Therefore I reconfigure reg.properties files for using standard JDBC driver:
jdbc.url = jdbc\:sqlserver\://SERVER:PORT and etc
jdbc.driver = com.microsoft.sqlserver.jdbc.SQLServerDriver
And executed my sample code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
private CSSSystem  cssSystem=null;
private HashMap localContext=new HashMap(2);
public void main(String[] args){
    try{ 
        cssSystem=CSSSystem.getInstance(
  localContext,System.getenv("EPM_ORACLE_HOME")+"../logs");
    }catch(CSSException e){
           e.printStackTrace();
    }
}

Everything worked fine, no error, than I continued developing my project

P.S.

I'm going to devote some next posts to CSSAPI  (authentication and maintain users and groups)








 
Posted by at 8 comments:
Subscribe to: Posts (Atom)