Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Arch bugs in BSS
Gleb Cherbov
Security Researcher
Digital Security (ERPScan)
Arch bugs in BSS

Banking

© 2002—2013, Digital Security

2
Arch bugs in BSS

Internet banking. Client side

© 2002—2013, Digital Security

3
Arch bugs in BSS

How it worx

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s envi...
Arch bugs in BSS

How it worx

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s envi...
Arch bugs in BSS

How it worx

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s envi...
Arch bugs in BSS

How it worx

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s envi...
Arch bugs in BSS

Select a target

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s ...
Arch bugs in BSS

Select a target

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s ...
Arch bugs in BSS

Select a target

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s ...
Arch bugs in BSS

Authentication

oper_login
oper_pass

Operator

© 2002—2013, Digital Security

dbo_admin
Operator’s
envi...
Arch bugs in BSS

Dbo_admin

• dbo_admin is the only account at DBMS
• dbo_admin has full access
• every operator can conn...
Arch bugs in BSS

Lookin’ for a passwd

dbo_admin password is encrypted
and stored in a .cfg file near the app

© 2002—201...
Arch bugs in BSS

Quote

“it’s impossible to decrypt it”
(c) BSS support

© 2002—2013, Digital Security

14
Arch bugs in BSS

Let’s take a look

RSA modulus
RSA private exp
Unusual base64 alphabet
© 2002—2013, Digital Security

15
Arch bugs in BSS

Let’s take a look

Well… looks like base64?

© 2002—2013, Digital Security

16
Arch bugs in BSS

Also…

Innovative password storage
widely used in BSS products
With the same hardcoded RSA key

© 2002—2...
Arch bugs in BSS

Malware

WEB Server + App Server

DBMS

ABS
Get conf file
Decrypt dbo_admin pass
Wreak havoc
Operator
© ...
Arch bugs in BSS

Attack vector?

•Insider

•Targeted attack
•Malware

© 2002—2013, Digital Security

19
Arch bugs in BSS

Tricky data manipulations

© 2002—2013, Digital Security

20
Questions?

Digital Security in Moscow: +7 (495) 223-07-86
Digital Security in Saint Petersburg: +7 (812) 703-15-47
www.ds...
Upcoming SlideShare
Loading in …5
×

Gleb Cherbov - DBO Hacking — arch bugs in BSS

666 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Gleb Cherbov - DBO Hacking — arch bugs in BSS

  1. 1. Arch bugs in BSS Gleb Cherbov Security Researcher Digital Security (ERPScan)
  2. 2. Arch bugs in BSS Banking © 2002—2013, Digital Security 2
  3. 3. Arch bugs in BSS Internet banking. Client side © 2002—2013, Digital Security 3
  4. 4. Arch bugs in BSS How it worx WEB Server + App Server DBMS ABS Operator © 2002—2013, Digital Security Operator’s environment 4
  5. 5. Arch bugs in BSS How it worx WEB Server + App Server DBMS ABS Operator © 2002—2013, Digital Security Operator’s environment 5
  6. 6. Arch bugs in BSS How it worx WEB Server + App Server DBMS ABS Operator © 2002—2013, Digital Security Operator’s environment 6
  7. 7. Arch bugs in BSS How it worx WEB Server + App Server DBMS ABS Operator © 2002—2013, Digital Security Operator’s environment 7
  8. 8. Arch bugs in BSS Select a target WEB Server + App Server DBMS ABS Operator © 2002—2013, Digital Security Operator’s environment 8
  9. 9. Arch bugs in BSS Select a target WEB Server + App Server DBMS ABS Operator © 2002—2013, Digital Security Operator’s environment 9
  10. 10. Arch bugs in BSS Select a target WEB Server + App Server DBMS ABS Operator © 2002—2013, Digital Security Operator’s environment 10
  11. 11. Arch bugs in BSS Authentication oper_login oper_pass Operator © 2002—2013, Digital Security dbo_admin Operator’s environment DBMS 11
  12. 12. Arch bugs in BSS Dbo_admin • dbo_admin is the only account at DBMS • dbo_admin has full access • every operator can connect to DBMS directly • oper auth on app side © 2002—2013, Digital Security 12
  13. 13. Arch bugs in BSS Lookin’ for a passwd dbo_admin password is encrypted and stored in a .cfg file near the app © 2002—2013, Digital Security 13
  14. 14. Arch bugs in BSS Quote “it’s impossible to decrypt it” (c) BSS support © 2002—2013, Digital Security 14
  15. 15. Arch bugs in BSS Let’s take a look RSA modulus RSA private exp Unusual base64 alphabet © 2002—2013, Digital Security 15
  16. 16. Arch bugs in BSS Let’s take a look Well… looks like base64? © 2002—2013, Digital Security 16
  17. 17. Arch bugs in BSS Also… Innovative password storage widely used in BSS products With the same hardcoded RSA key © 2002—2013, Digital Security 17
  18. 18. Arch bugs in BSS Malware WEB Server + App Server DBMS ABS Get conf file Decrypt dbo_admin pass Wreak havoc Operator © 2002—2013, Digital Security Operator’s environment 18
  19. 19. Arch bugs in BSS Attack vector? •Insider •Targeted attack •Malware © 2002—2013, Digital Security 19
  20. 20. Arch bugs in BSS Tricky data manipulations © 2002—2013, Digital Security 20
  21. 21. Questions? Digital Security in Moscow: +7 (495) 223-07-86 Digital Security in Saint Petersburg: +7 (812) 703-15-47 www.dsec.ru www.erpscan.com info@dsec.ru

×