Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Invest in security
to secure investments

Accounting hacking –
arch bugs in MS Dynamics GP
Alexey Tyurin
Director of consu...
Alexey Tyurin

• Director of consulting in ERPScan
• XML/WEB/Win/Network security fun
• Hacked a lot of online banking sys...
MS

erpscan.com

ERPScan — invest in security to secure investments

3
MS

erpscan.com

ERPScan — invest in security to secure investments

4
MS

erpscan.com

ERPScan — invest in security to secure investments

5
MS

erpscan.com

ERPScan — invest in security to secure investments

6
MS

erpscan.com

ERPScan — invest in security to secure investments

7
What is it?
•
•

Microsoft Dynamics GP is ERP or accounting software
Many implementations: about 430000 companies

Img fro...
Architecture

Based on www.securestate.com/Downloads/whitepaper/Cash-Is-King.pdf

erpscan.com

ERPScan — invest in securit...
Features
•

Fat client

•

Web is only for info and reporting

•

Dexterity language

•

The security depends on the
secur...
Security
Role model:
• Security Tasks
• Security Roles
• Users
Features:
• sa
• DYNSA
• DYNGRP
• System password
• SQL use...
inSecurity
• All the security of Dynamics relies on the visual restrictions of
the fat client
• In fact, all users have th...
inSecurity
• Reverse engineering to understand the password “encryption”
algorithm
• A MitM attack on ourselves
MS SQL ser...
What’s next?
• Full access to the company’s information in the database
For example, privilege escalation. But a research ...
DEMO

erpscan.com

ERPScan — invest in security to secure investments

15
Greetz to our crew who helped
Upcoming SlideShare
Loading in …5
×

Alexey Tyurin - Accounting hacking — arch bugs in MS Dynamics GP

885 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Alexey Tyurin - Accounting hacking — arch bugs in MS Dynamics GP

  1. 1. Invest in security to secure investments Accounting hacking – arch bugs in MS Dynamics GP Alexey Tyurin Director of consulting department in ERPScan
  2. 2. Alexey Tyurin • Director of consulting in ERPScan • XML/WEB/Win/Network security fun • Hacked a lot of online banking systems • Co-Organizer of Defcon Russia Group • Editor of “EasyHack” column for the “Xakep” magazine @antyurin erpscan.com ERPScan — invest in security to secure investments 2
  3. 3. MS erpscan.com ERPScan — invest in security to secure investments 3
  4. 4. MS erpscan.com ERPScan — invest in security to secure investments 4
  5. 5. MS erpscan.com ERPScan — invest in security to secure investments 5
  6. 6. MS erpscan.com ERPScan — invest in security to secure investments 6
  7. 7. MS erpscan.com ERPScan — invest in security to secure investments 7
  8. 8. What is it? • • Microsoft Dynamics GP is ERP or accounting software Many implementations: about 430000 companies Img from http://www.calszone.com erpscan.com ERPScan — invest in security to secure investments 8
  9. 9. Architecture Based on www.securestate.com/Downloads/whitepaper/Cash-Is-King.pdf erpscan.com ERPScan — invest in security to secure investments 9
  10. 10. Features • Fat client • Web is only for info and reporting • Dexterity language • The security depends on the security of SQL Server • Microsoft Dynamics GP does not integrate with Active Directory erpscan.com ERPScan — invest in security to secure investments 10
  11. 11. Security Role model: • Security Tasks • Security Roles • Users Features: • sa • DYNSA • DYNGRP • System password • SQL users erpscan.com ERPScan — invest in security to secure investments 11
  12. 12. inSecurity • All the security of Dynamics relies on the visual restrictions of the fat client • In fact, all users have the rights to the companies’ databases and to DYNAMICS • The only obstruction: impossible to connect to the SQL server directly (encryption +encryption). How to bypass it? erpscan.com ERPScan — invest in security to secure investments 12
  13. 13. inSecurity • Reverse engineering to understand the password “encryption” algorithm • A MitM attack on ourselves MS SQL server does not encrypt the process of authentication af a few bytes are replaced upon connection! * The method itself is described and implemented into a Metasploit Framework module that works like a charm: http://f0rki.at/microsoft-sql-server-downgrade-attack.html ** It is a feature, not a bug, and Microsoft is not going to correct it erpscan.com ERPScan — invest in security to secure investments 13
  14. 14. What’s next? • Full access to the company’s information in the database For example, privilege escalation. But a research called “Cash is King” describes subtler methods: http://marketing.securestate.com/cash-is-king-download-our-free-whitepaper • Attack on OS For example, if the SQL server is launched under a privileged user account, we can initiate a connection to our host using stored procedures (xp_dirtree) because we have the rights of the “public” role. The result will be a hash which can be used in a bruteforce attack. If Dynamics GP uses a cluster of SQL servers (it happens sometimes), we can conduct an SMB Relay attack on the same server (MS08-068 will not work here). The result will be a shell on the cluster :) erpscan.com ERPScan — invest in security to secure investments 14
  15. 15. DEMO erpscan.com ERPScan — invest in security to secure investments 15
  16. 16. Greetz to our crew who helped

×