Invest in security to secure investments Accounting hacking – arch bugs in MS Dynamics GP Alexey Tyurin Director of consulting
Feb 22, 2016
Invest in securityto secure investments
Accounting hacking –arch bugs in MS Dynamics GPAlexey Tyurin Director of consulting department in ERPScan
Alexey Tyurin
• Director of consulting in ERPScan• XML/WEB/Win/Network security fun• Hacked a lot of online banking systems• Co-Organizer of Defcon Russia Group • Editor of “EasyHack” column for the “Xakep” magazine
@antyurin
erpscan.com 2ERPScan — invest in security to secure investments
MS
erpscan.com 3ERPScan — invest in security to secure investments
MS
erpscan.com 4ERPScan — invest in security to secure investments
MS
erpscan.com 5ERPScan — invest in security to secure investments
MS
erpscan.com 6ERPScan — invest in security to secure investments
MS
erpscan.com 7ERPScan — invest in security to secure investments
What is it?
• Microsoft Dynamics GP is ERP or accounting software• Many implementations: about 430000 companies
Img from http://www.calszone.com
erpscan.com 8ERPScan — invest in security to secure investments
Architecture
Based on www.securestate.com/Downloads/whitepaper/Cash-Is-King.pdf
erpscan.com 9ERPScan — invest in security to secure investments
Features
• Fat client
• Web is only for info and reporting
• Dexterity language
• The security depends on the security of SQL Server
• Microsoft Dynamics GP does not integrate with Active Directory
erpscan.com 10ERPScan — invest in security to secure investments
Security
Role model:• Security Tasks• Security Roles• Users
Features:• sa• DYNSA• DYNGRP• System password• SQL users
erpscan.com 11ERPScan — invest in security to secure investments
inSecurity
• All the security of Dynamics relies on the visual restrictions of the fat client
• In fact, all users have the rights to the companies’ databases and to DYNAMICS
• The only obstruction: impossible to connect to the SQL server directly (encryption +encryption). How to bypass it?
erpscan.com 12ERPScan — invest in security to secure investments
inSecurity
• Reverse engineering to understand the password “encryption” algorithm
• A MitM attack on ourselvesMS SQL server does not encrypt the process of authentication af a few bytes are replaced upon connection!
* The method itself is described and implemented into a Metasploit Framework module that works like a charm:http://f0rki.at/microsoft-sql-server-downgrade-attack.html
** It is a feature, not a bug, and Microsoft is not going to correct it
erpscan.com 13ERPScan — invest in security to secure investments
What’s next?
• Full access to the company’s information in the databaseFor example, privilege escalation. But a research called “Cash is King” describes subtler methods:http://marketing.securestate.com/cash-is-king-download-our-free-whitepaper
• Attack on OSFor example, if the SQL server is launched under a privileged user account, we can initiate a connection to our host using stored procedures (xp_dirtree) because we have the rights of the “public” role. The result will be a hash which can be used in a bruteforce attack.If Dynamics GP uses a cluster of SQL servers (it happens sometimes), we can conduct an SMB Relay attack on the same server (MS08-068 will not work here). The result will be a shell on the cluster :)erpscan.com 14ERPScan — invest in security to secure investments
erpscan.com 15ERPScan — invest in security to secure investments
DEMO
Greetz to our crew who helped