Alexey Tyurin - Accounting hacking — arch bugs in MS Dynamics GP

822 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
822
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Alexey Tyurin - Accounting hacking — arch bugs in MS Dynamics GP

  1. 1. Invest in security to secure investments Accounting hacking – arch bugs in MS Dynamics GP Alexey Tyurin Director of consulting department in ERPScan
  2. 2. Alexey Tyurin • Director of consulting in ERPScan • XML/WEB/Win/Network security fun • Hacked a lot of online banking systems • Co-Organizer of Defcon Russia Group • Editor of “EasyHack” column for the “Xakep” magazine @antyurin erpscan.com ERPScan — invest in security to secure investments 2
  3. 3. MS erpscan.com ERPScan — invest in security to secure investments 3
  4. 4. MS erpscan.com ERPScan — invest in security to secure investments 4
  5. 5. MS erpscan.com ERPScan — invest in security to secure investments 5
  6. 6. MS erpscan.com ERPScan — invest in security to secure investments 6
  7. 7. MS erpscan.com ERPScan — invest in security to secure investments 7
  8. 8. What is it? • • Microsoft Dynamics GP is ERP or accounting software Many implementations: about 430000 companies Img from http://www.calszone.com erpscan.com ERPScan — invest in security to secure investments 8
  9. 9. Architecture Based on www.securestate.com/Downloads/whitepaper/Cash-Is-King.pdf erpscan.com ERPScan — invest in security to secure investments 9
  10. 10. Features • Fat client • Web is only for info and reporting • Dexterity language • The security depends on the security of SQL Server • Microsoft Dynamics GP does not integrate with Active Directory erpscan.com ERPScan — invest in security to secure investments 10
  11. 11. Security Role model: • Security Tasks • Security Roles • Users Features: • sa • DYNSA • DYNGRP • System password • SQL users erpscan.com ERPScan — invest in security to secure investments 11
  12. 12. inSecurity • All the security of Dynamics relies on the visual restrictions of the fat client • In fact, all users have the rights to the companies’ databases and to DYNAMICS • The only obstruction: impossible to connect to the SQL server directly (encryption +encryption). How to bypass it? erpscan.com ERPScan — invest in security to secure investments 12
  13. 13. inSecurity • Reverse engineering to understand the password “encryption” algorithm • A MitM attack on ourselves MS SQL server does not encrypt the process of authentication af a few bytes are replaced upon connection! * The method itself is described and implemented into a Metasploit Framework module that works like a charm: http://f0rki.at/microsoft-sql-server-downgrade-attack.html ** It is a feature, not a bug, and Microsoft is not going to correct it erpscan.com ERPScan — invest in security to secure investments 13
  14. 14. What’s next? • Full access to the company’s information in the database For example, privilege escalation. But a research called “Cash is King” describes subtler methods: http://marketing.securestate.com/cash-is-king-download-our-free-whitepaper • Attack on OS For example, if the SQL server is launched under a privileged user account, we can initiate a connection to our host using stored procedures (xp_dirtree) because we have the rights of the “public” role. The result will be a hash which can be used in a bruteforce attack. If Dynamics GP uses a cluster of SQL servers (it happens sometimes), we can conduct an SMB Relay attack on the same server (MS08-068 will not work here). The result will be a shell on the cluster :) erpscan.com ERPScan — invest in security to secure investments 14
  15. 15. DEMO erpscan.com ERPScan — invest in security to secure investments 15
  16. 16. Greetz to our crew who helped

×