Alexey Tyurin is the director of consulting at ERPScan, a company that focuses on investing in security to secure investments. He discusses accounting software Microsoft Dynamics GP, noting that while it is widely used, the security of the software relies on security of the underlying SQL Server database. Tyurin then demonstrates how an attacker could bypass the encryption used to connect to the database, allowing access to customer data and potential privilege escalation. He warns organizations to properly secure their SQL servers to avoid such attacks.

1. Invest in security
to secure investments
Accounting hacking –
arch bugs in MS Dynamics GP
Alexey Tyurin
Director of consulting department in ERPScan

2. Alexey Tyurin
• Director of consulting in ERPScan
• XML/WEB/Win/Network security fun
• Hacked a lot of online banking systems
• Co-Organizer of Defcon Russia Group
• Editor of “EasyHack” column for the “Xakep” magazine
@antyurin
erpscan.com
ERPScan — invest in security to secure investments
2

3. MS
erpscan.com
ERPScan — invest in security to secure investments
3

4. MS
erpscan.com
ERPScan — invest in security to secure investments
4

5. MS
erpscan.com
ERPScan — invest in security to secure investments
5

6. MS
erpscan.com
ERPScan — invest in security to secure investments
6

7. MS
erpscan.com
ERPScan — invest in security to secure investments
7

8. What is it?
•
•
Microsoft Dynamics GP is ERP or accounting software
Many implementations: about 430000 companies
Img from http://www.calszone.com
erpscan.com
ERPScan — invest in security to secure investments
8

9. Architecture
Based on www.securestate.com/Downloads/whitepaper/Cash-Is-King.pdf
erpscan.com
ERPScan — invest in security to secure investments
9

10. Features
•
Fat client
•
Web is only for info and reporting
•
Dexterity language
•
The security depends on the
security of SQL Server
•
Microsoft Dynamics GP does not
integrate with Active Directory
erpscan.com
ERPScan — invest in security to secure investments
10

11. Security
Role model:
• Security Tasks
• Security Roles
• Users
Features:
• sa
• DYNSA
• DYNGRP
• System password
• SQL users
erpscan.com
ERPScan — invest in security to secure investments
11

12. inSecurity
• All the security of Dynamics relies on the visual restrictions of
the fat client
• In fact, all users have the rights to the companies’ databases
and to DYNAMICS
• The only obstruction: impossible to connect to the SQL server
directly (encryption +encryption). How to bypass it?
erpscan.com
ERPScan — invest in security to secure investments
12

13. inSecurity
• Reverse engineering to understand the password “encryption”
algorithm
• A MitM attack on ourselves
MS SQL server does not encrypt the process of authentication af
a few bytes are replaced upon connection!
* The method itself is described and implemented into a Metasploit Framework
module that works like a charm:
http://f0rki.at/microsoft-sql-server-downgrade-attack.html
** It is a feature, not a bug, and Microsoft is not going to correct it
erpscan.com
ERPScan — invest in security to secure investments
13

14. What’s next?
• Full access to the company’s information in the database
For example, privilege escalation. But a research called “Cash is King” describes
subtler methods:
http://marketing.securestate.com/cash-is-king-download-our-free-whitepaper
• Attack on OS
For example, if the SQL server is launched under a privileged user account, we
can initiate a connection to our host using stored procedures (xp_dirtree)
because we have the rights of the “public” role. The result will be a hash which
can be used in a bruteforce attack.
If Dynamics GP uses a cluster of SQL servers (it happens sometimes), we can
conduct an SMB Relay attack on the same server (MS08-068 will not work here).
The result will be a shell on the cluster :)
erpscan.com
ERPScan — invest in security to secure investments
14

15. DEMO
erpscan.com
ERPScan — invest in security to secure investments
15

16. Greetz to our crew who helped