alexey tyurin
DESCRIPTION
Accounting hacking – arch bugs in MS Dynamics GP Alexey Tyurin Director of consulting department in ERPScan. Alexey Tyurin. Director of consulting in ERPScan XML/WEB/Win/Network security fun Hacked a lot of online banking systems Co-Organizer of Defcon Russia Group - PowerPoint PPT PresentationTRANSCRIPT
Invest in securityto secure investments
Accounting hacking –arch bugs in MS Dynamics GPAlexey Tyurin Director of consulting department in ERPScan
Alexey Tyurin
• Director of consulting in ERPScan• XML/WEB/Win/Network security fun• Hacked a lot of online banking systems• Co-Organizer of Defcon Russia Group • Editor of “EasyHack” column for the “Xakep” magazine
@antyurin
erpscan.com 2ERPScan — invest in security to secure investments
MS
erpscan.com 3ERPScan — invest in security to secure investments
MS
erpscan.com 4ERPScan — invest in security to secure investments
MS
erpscan.com 5ERPScan — invest in security to secure investments
MS
erpscan.com 6ERPScan — invest in security to secure investments
MS
erpscan.com 7ERPScan — invest in security to secure investments
What is it?
• Microsoft Dynamics GP is ERP or accounting software• Many implementations: about 430000 companies
Img from http://www.calszone.com
erpscan.com 8ERPScan — invest in security to secure investments
Architecture
Based on www.securestate.com/Downloads/whitepaper/Cash-Is-King.pdf
erpscan.com 9ERPScan — invest in security to secure investments
Features
• Fat client
• Web is only for info and reporting
• Dexterity language
• The security depends on the security of SQL Server
• Microsoft Dynamics GP does not integrate with Active Directory
erpscan.com 10ERPScan — invest in security to secure investments
Security
Role model:• Security Tasks• Security Roles• Users
Features:• sa• DYNSA• DYNGRP• System password• SQL users
erpscan.com 11ERPScan — invest in security to secure investments
inSecurity
• All the security of Dynamics relies on the visual restrictions of the fat client
• In fact, all users have the rights to the companies’ databases and to DYNAMICS
• The only obstruction: impossible to connect to the SQL server directly (encryption +encryption). How to bypass it?
erpscan.com 12ERPScan — invest in security to secure investments
inSecurity
• Reverse engineering to understand the password “encryption” algorithm
• A MitM attack on ourselvesMS SQL server does not encrypt the process of authentication af a few bytes are replaced upon connection!
* The method itself is described and implemented into a Metasploit Framework module that works like a charm:http://f0rki.at/microsoft-sql-server-downgrade-attack.html
** It is a feature, not a bug, and Microsoft is not going to correct it
erpscan.com 13ERPScan — invest in security to secure investments
What’s next?
• Full access to the company’s information in the databaseFor example, privilege escalation. But a research called “Cash is King” describes subtler methods:http://marketing.securestate.com/cash-is-king-download-our-free-whitepaper
• Attack on OSFor example, if the SQL server is launched under a privileged user account, we can initiate a connection to our host using stored procedures (xp_dirtree) because we have the rights of the “public” role. The result will be a hash which can be used in a bruteforce attack.If Dynamics GP uses a cluster of SQL servers (it happens sometimes), we can conduct an SMB Relay attack on the same server (MS08-068 will not work here). The result will be a shell on the cluster :)erpscan.com 14ERPScan — invest in security to secure investments
erpscan.com 15ERPScan — invest in security to secure investments
DEMO
Greetz to our crew who helped