Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Alexey Tyurin - Accounting hacking — arch bugs in MS Dynamics GP
1. Invest in security
to secure investments
Accounting hacking –
arch bugs in MS Dynamics GP
Alexey Tyurin
Director of consulting department in ERPScan
2. Alexey Tyurin
• Director of consulting in ERPScan
• XML/WEB/Win/Network security fun
• Hacked a lot of online banking systems
• Co-Organizer of Defcon Russia Group
• Editor of “EasyHack” column for the “Xakep” magazine
@antyurin
erpscan.com
ERPScan — invest in security to secure investments
2
8. What is it?
•
•
Microsoft Dynamics GP is ERP or accounting software
Many implementations: about 430000 companies
Img from http://www.calszone.com
erpscan.com
ERPScan — invest in security to secure investments
8
10. Features
•
Fat client
•
Web is only for info and reporting
•
Dexterity language
•
The security depends on the
security of SQL Server
•
Microsoft Dynamics GP does not
integrate with Active Directory
erpscan.com
ERPScan — invest in security to secure investments
10
11. Security
Role model:
• Security Tasks
• Security Roles
• Users
Features:
• sa
• DYNSA
• DYNGRP
• System password
• SQL users
erpscan.com
ERPScan — invest in security to secure investments
11
12. inSecurity
• All the security of Dynamics relies on the visual restrictions of
the fat client
• In fact, all users have the rights to the companies’ databases
and to DYNAMICS
• The only obstruction: impossible to connect to the SQL server
directly (encryption +encryption). How to bypass it?
erpscan.com
ERPScan — invest in security to secure investments
12
13. inSecurity
• Reverse engineering to understand the password “encryption”
algorithm
• A MitM attack on ourselves
MS SQL server does not encrypt the process of authentication af
a few bytes are replaced upon connection!
* The method itself is described and implemented into a Metasploit Framework
module that works like a charm:
http://f0rki.at/microsoft-sql-server-downgrade-attack.html
** It is a feature, not a bug, and Microsoft is not going to correct it
erpscan.com
ERPScan — invest in security to secure investments
13
14. What’s next?
• Full access to the company’s information in the database
For example, privilege escalation. But a research called “Cash is King” describes
subtler methods:
http://marketing.securestate.com/cash-is-king-download-our-free-whitepaper
• Attack on OS
For example, if the SQL server is launched under a privileged user account, we
can initiate a connection to our host using stored procedures (xp_dirtree)
because we have the rights of the “public” role. The result will be a hash which
can be used in a bruteforce attack.
If Dynamics GP uses a cluster of SQL servers (it happens sometimes), we can
conduct an SMB Relay attack on the same server (MS08-068 will not work here).
The result will be a shell on the cluster :)
erpscan.com
ERPScan — invest in security to secure investments
14