1 / 16

Alexey Tyurin

Accounting hacking – arch bugs in MS Dynamics GP Alexey Tyurin Director of consulting department in ERPScan. Alexey Tyurin. Director of consulting in ERPScan XML/WEB/Win/Network security fun Hacked a lot of online banking systems Co-Organizer of Defcon Russia Group

takoda
Download Presentation

Alexey Tyurin

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Accounting hacking –arch bugs in MS Dynamics GPAlexey Tyurin Director of consulting department in ERPScan

  2. Alexey Tyurin Director of consulting in ERPScan XML/WEB/Win/Network security fun Hacked a lot of online banking systems Co-Organizer of Defcon Russia Group Editor of “EasyHack” column for the “Xakep” magazine @antyurin erpscan.com ERPScan — invest in security to secure investments 2

  3. MS erpscan.com ERPScan — invest in security to secure investments 3

  4. MS erpscan.com ERPScan — invest in security to secure investments 4

  5. MS erpscan.com ERPScan — invest in security to secure investments 5

  6. MS erpscan.com ERPScan — invest in security to secure investments 6

  7. MS erpscan.com ERPScan — invest in security to secure investments 7

  8. What is it? Microsoft Dynamics GP is ERP or accounting software Many implementations: about 430000 companies Img from http://www.calszone.com erpscan.com ERPScan — invest in security to secure investments 8

  9. Architecture Based on www.securestate.com/Downloads/whitepaper/Cash-Is-King.pdf erpscan.com ERPScan — invest in security to secure investments 9

  10. Features Fat client Web is only for info and reporting Dexterity language The security depends on the security ofSQLServer Microsoft Dynamics GP does not integrate with Active Directory erpscan.com ERPScan — invest in security to secure investments 10

  11. Security Role model: Security Tasks Security Roles Users Features: sa DYNSA DYNGRP System password SQL users erpscan.com ERPScan — invest in security to secure investments 11

  12. inSecurity All the security ofDynamics relies on the visual restrictions of the fat client In fact, all users have the rights to the companies’ databases and toDYNAMICS The only obstruction: impossible to connect to the SQL server directly (encryption +encryption). How to bypass it? erpscan.com ERPScan — invest in security to secure investments 12

  13. inSecurity Reverse engineering to understand the password “encryption” algorithm AMitM attack on ourselvesMS SQL server does not encrypt the process of authentication af a few bytes are replaced upon connection! * The method itself is described and implemented into a Metasploit Framework module that works like a charm: http://f0rki.at/microsoft-sql-server-downgrade-attack.html ** It is a feature, not a bug, and Microsoft is not going to correct it erpscan.com ERPScan — invest in security to secure investments 13

  14. What’s next? Full access to the company’s information in the database For example, privilege escalation. But a research called “Cash is King” describes subtler methods:http://marketing.securestate.com/cash-is-king-download-our-free-whitepaper Attack on OS For example, if the SQL server is launched under a privileged user account, we can initiate a connection to our host using stored procedures (xp_dirtree) because we have the rights of the “public” role. The result will be a hash which can be used in a bruteforce attack. If Dynamics GP uses a cluster of SQL servers (it happens sometimes), we can conduct anSMB Relay attack on the same server (MS08-068 will not work here). The result will be a shell on the cluster:) erpscan.com ERPScan — invest in security to secure investments 14

  15. DEMO ERPScan — invest in security to secure investments

  16. Greetz to our crew who helped

More Related