Invest in security
to secure investments

Accounting hacking –
arch bugs in MS Dynamics GP
Alexey Tyurin
Director of consu...
Alexey Tyurin

• Director of consulting in ERPScan
• XML/WEB/Win/Network security fun
• Hacked a lot of online banking sys...
MS

erpscan.com

ERPScan — invest in security to secure investments

3
MS

erpscan.com

ERPScan — invest in security to secure investments

4
MS

erpscan.com

ERPScan — invest in security to secure investments

5
MS

erpscan.com

ERPScan — invest in security to secure investments

6
MS

erpscan.com

ERPScan — invest in security to secure investments

7
What is it?
•
•

Microsoft Dynamics GP is ERP or accounting software
Many implementations: about 430000 companies

Img fro...
Architecture

Based on www.securestate.com/Downloads/whitepaper/Cash-Is-King.pdf

erpscan.com

ERPScan — invest in securit...
Features
•

Fat client

•

Web is only for info and reporting

•

Dexterity language

•

The security depends on the
secur...
Security
Role model:
• Security Tasks
• Security Roles
• Users
Features:
• sa
• DYNSA
• DYNGRP
• System password
• SQL use...
inSecurity
• All the security of Dynamics relies on the visual restrictions of
the fat client
• In fact, all users have th...
inSecurity
• Reverse engineering to understand the password “encryption”
algorithm
• A MitM attack on ourselves
MS SQL ser...
What’s next?
• Full access to the company’s information in the database
For example, privilege escalation. But a research ...
DEMO

erpscan.com

ERPScan — invest in security to secure investments

15
Greetz to our crew who helped
Upcoming SlideShare
Loading in …5
×

Alexey Tyurin - Accounting hacking — arch bugs in MS Dynamics GP

702 views
596 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
702
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Alexey Tyurin - Accounting hacking — arch bugs in MS Dynamics GP

  1. 1. Invest in security to secure investments Accounting hacking – arch bugs in MS Dynamics GP Alexey Tyurin Director of consulting department in ERPScan
  2. 2. Alexey Tyurin • Director of consulting in ERPScan • XML/WEB/Win/Network security fun • Hacked a lot of online banking systems • Co-Organizer of Defcon Russia Group • Editor of “EasyHack” column for the “Xakep” magazine @antyurin erpscan.com ERPScan — invest in security to secure investments 2
  3. 3. MS erpscan.com ERPScan — invest in security to secure investments 3
  4. 4. MS erpscan.com ERPScan — invest in security to secure investments 4
  5. 5. MS erpscan.com ERPScan — invest in security to secure investments 5
  6. 6. MS erpscan.com ERPScan — invest in security to secure investments 6
  7. 7. MS erpscan.com ERPScan — invest in security to secure investments 7
  8. 8. What is it? • • Microsoft Dynamics GP is ERP or accounting software Many implementations: about 430000 companies Img from http://www.calszone.com erpscan.com ERPScan — invest in security to secure investments 8
  9. 9. Architecture Based on www.securestate.com/Downloads/whitepaper/Cash-Is-King.pdf erpscan.com ERPScan — invest in security to secure investments 9
  10. 10. Features • Fat client • Web is only for info and reporting • Dexterity language • The security depends on the security of SQL Server • Microsoft Dynamics GP does not integrate with Active Directory erpscan.com ERPScan — invest in security to secure investments 10
  11. 11. Security Role model: • Security Tasks • Security Roles • Users Features: • sa • DYNSA • DYNGRP • System password • SQL users erpscan.com ERPScan — invest in security to secure investments 11
  12. 12. inSecurity • All the security of Dynamics relies on the visual restrictions of the fat client • In fact, all users have the rights to the companies’ databases and to DYNAMICS • The only obstruction: impossible to connect to the SQL server directly (encryption +encryption). How to bypass it? erpscan.com ERPScan — invest in security to secure investments 12
  13. 13. inSecurity • Reverse engineering to understand the password “encryption” algorithm • A MitM attack on ourselves MS SQL server does not encrypt the process of authentication af a few bytes are replaced upon connection! * The method itself is described and implemented into a Metasploit Framework module that works like a charm: http://f0rki.at/microsoft-sql-server-downgrade-attack.html ** It is a feature, not a bug, and Microsoft is not going to correct it erpscan.com ERPScan — invest in security to secure investments 13
  14. 14. What’s next? • Full access to the company’s information in the database For example, privilege escalation. But a research called “Cash is King” describes subtler methods: http://marketing.securestate.com/cash-is-king-download-our-free-whitepaper • Attack on OS For example, if the SQL server is launched under a privileged user account, we can initiate a connection to our host using stored procedures (xp_dirtree) because we have the rights of the “public” role. The result will be a hash which can be used in a bruteforce attack. If Dynamics GP uses a cluster of SQL servers (it happens sometimes), we can conduct an SMB Relay attack on the same server (MS08-068 will not work here). The result will be a shell on the cluster :) erpscan.com ERPScan — invest in security to secure investments 14
  15. 15. DEMO erpscan.com ERPScan — invest in security to secure investments 15
  16. 16. Greetz to our crew who helped

×