Gleb Cherbov - DBO Hacking — arch bugs in BSS

•Transferir como PPTX, PDF•

0 gostou•773 visualizações

The document discusses security issues in banking software systems. It describes how the banking software works, with a web server, application server, database, and operator environment. It then details vulnerabilities, including that all operators can directly connect to the database using a single 'dbo_admin' account with full access, and that the password for this account is encrypted but stored in a file that can be decrypted, exposing the password. It closes by noting this is a possible attack vector that could allow malware to access the database and cause damage.

Tecnologia

Arch bugs in BSS
Gleb Cherbov
Security Researcher
Digital Security (ERPScan)

Arch bugs in BSS

Banking

© 2002—2013, Digital Security

2

Arch bugs in BSS

Internet banking. Client side

© 2002—2013, Digital Security

3

Arch bugs in BSS

How it worx

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
4

Arch bugs in BSS

How it worx

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
5

Arch bugs in BSS

How it worx

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
6

Arch bugs in BSS

How it worx

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
7

Arch bugs in BSS

Select a target

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
8

Arch bugs in BSS

Select a target

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
9

Arch bugs in BSS

Select a target

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
10

Arch bugs in BSS

Authentication

oper_login
oper_pass

Operator

© 2002—2013, Digital Security

dbo_admin
Operator’s
environment

DBMS

11

Arch bugs in BSS

Dbo_admin

• dbo_admin is the only account at DBMS
• dbo_admin has full access
• every operator can connect to DBMS directly
• oper auth on app side

© 2002—2013, Digital Security

12

Arch bugs in BSS

Lookin’ for a passwd

dbo_admin password is encrypted
and stored in a .cfg file near the app

© 2002—2013, Digital Security

13

Arch bugs in BSS

Quote

“it’s impossible to decrypt it”
(c) BSS support

© 2002—2013, Digital Security

14

Arch bugs in BSS

Let’s take a look

RSA modulus
RSA private exp
Unusual base64 alphabet
© 2002—2013, Digital Security

15

Arch bugs in BSS

Let’s take a look

Well… looks like base64?

© 2002—2013, Digital Security

16

Arch bugs in BSS

Also…

Innovative password storage
widely used in BSS products
With the same hardcoded RSA key

© 2002—2013, Digital Security

17

Arch bugs in BSS

Malware

WEB Server + App Server

DBMS

ABS
Get conf file
Decrypt dbo_admin pass
Wreak havoc
Operator
© 2002—2013, Digital Security

Operator’s environment
18

Arch bugs in BSS

Attack vector?

•Insider

•Targeted attack
•Malware

© 2002—2013, Digital Security

19

Arch bugs in BSS

Tricky data manipulations

© 2002—2013, Digital Security

20

Questions?

Digital Security in Moscow: +7 (495) 223-07-86
Digital Security in Saint Petersburg: +7 (812) 703-15-47
www.dsec.ru
www.erpscan.com
info@dsec.ru

Mais conteúdo relacionado

Semelhante a Gleb Cherbov - DBO Hacking — arch bugs in BSS

Speaker: Drew DiPalma, Product Manager, Cloud, MongoDB Level: 100 (Beginner) Track: Developer Come learn more about MongoDB Stitch – Our new Backend as a Service (BaaS) that makes it easy for developers to create and launch applications across mobile and web platforms. Stitch provides a REST API on top of MongoDB with read, write, and validation rules built-in and full integration with the services you love. This talk will cover the what, why, and how of MongoDB Stitch. We’ll discuss everything from features to the architecture. You’ll walk away knowing how Stitch can kickstart your new project or take your existing application to the next level. What You Will Learn: - The basics of MongoDB Stitch and how to use it to kickstart new projects and implement new features in existing projects. - How to integrate your favorite services with your MongoDB application without writing any code.

Introducing Stitch

MongoDB

Owning End-to-end Application Experience With ThousandEyes

ThousandEyes

Enhancing SaaS Performance: A Hands-on Workshop for Partners

ThousandEyes

AWS Greengrass provides a wide range of opportunities from IoT gateway applications to building systems like those with microservice architectures. In this session, we first evaluate how AWS Greengrass fits into OEM, ODM, and IT service delivery models. We then wade into a gentle overview of AWS Greengrass and how it interoperates with AWS IoT and other AWS services. We walk through several key AWS Greengrass distributed architectures. Next, to help you accelerate your solution using AWS Greengrass, we discuss how AWS Greengrass fits into the AWS Cloud development and delivery model. The talk wraps up with a demonstration of AWS Greengrass facilitating communication between a closed machine to machine (M2M) network and AWS IoT.

GPSTEC317-From Leaves to Lawns AWS Greengrass at the Edge and Beyond

Amazon Web Services

While security is a top concern in every organization these days, it often gets a bad rap. In many minds, security has the reputation of the bothersome villain who attempts to hinder performance or restrain agility. In this session we will outline four strategies to protect your valuable workloads, without falling into traditional security traps. We will walk through three stories of EC2 security superheroes who saved the day by overcoming compliance and design challenges, using a (not so) secret arsenal of AWS and Trend Micro security tools. Andrew Watts-Curnow, Solutions Architect, Amazon Web Services, ASEAN Justin Foster, CISSP Head of Cloud Workload Security, Trend Micro

3 Secrets to Becoming a Cloud Security Superhero

Amazon Web Services

As the cloud transforms enterprise IT, it brings a lot more savings than cold hard cash. No question, reducing infrastructure costs is the #1 attraction to cloud. But there are two other cost dimensions with huge impact on security that must not be ignored. The payoffs depend on whether you approach security with a cloud vs. on-premises model. An organization’s choices are crucial – both for enterprise security and for the roles of its stakeholders.

Cloud vs. On-Premises Security: Can you afford not to switch?

Zscaler

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes

ThousandEyes

Introduction to ThousandEyes

ThousandEyes

Software as a Service

Frankie Warren

Many customers are hesitant to adopt SaaS solutions due to the concerns on the safety of the network connectivity traversing internet. It is also difficult to manage the firewall rules, NAT Gateway or VPN connections. AWS PrivateLink provided solution that let our customers’ applications, whether in a VPC or in their own data center, to connect to SaaS solutions in a highly scalable and highly available manner, while keeping all the network traffic within the AWS network.

NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...

Amazon Web Services

Realise True Business Value .pdf

ThousandEyes

Realize True Business Value With ThousandEyes

ThousandEyes

Realise True Business Value With ThousandEyes

ThousandEyes

IT organizations today need to support a modern, flexible, global workforce and ensure that their users can be productive anywhere. Moving desktops and applications to the AWS Cloud offers improved security, scale, and performance with cloud economics. In this session, we provide an overview of Amazon WorkSpaces and Amazon AppStream 2.0, and we discuss the use cases for each. Then, we dive deep into best practices for implementing Amazon WorkSpaces and AppStream 2.0

Increasing Productivity with End-User Computing Solutions on AWS

Amazon Web Services

AWS Webinar CZSK 02 Bezpecnost v AWS cloudu

Vladimir Simek

Learn how to build powerful backends without managing servers by using MongoDB Stitch. Stitch is a backend-as-a-service that lets developers perform CRUD operations directly against their database with a REST API, declaratively specify field-level security on their data, and compose server-side logic and external services with hosted functions. We provide four live coding demonstrations of Stitch in action. First, we demonstrate querying and inserting data into Stitch by adding comment capability to a static blog. Second, we demonstrate the power of Stitch's declarative ACL rules in the context of a medical records application. Third, we show services integration using Amazon S3 and Amazon Rekognition. Finally, we put it all together with an IoT-powered two-factor door security system, demonstrating how Stitch orchestrates a complex architecture of devices, logic, and services. Session sponsored by MongoDB

SRV336_Build a Serverless, Face-Recognizing IoT Security System with Amazon R...

Amazon Web Services

Introducing MongoDB Atlas

MongoDB

GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...

Amazon Web Services

On-premise to Microsoft Azure Cloud Migration.

Emtec Inc.

BIM Data for Owners - Sam Nseir

Jad DELLEL

Semelhante a Gleb Cherbov - DBO Hacking — arch bugs in BSS (20)

Introducing Stitch

Owning End-to-end Application Experience With ThousandEyes

Enhancing SaaS Performance: A Hands-on Workshop for Partners

GPSTEC317-From Leaves to Lawns AWS Greengrass at the Edge and Beyond

3 Secrets to Becoming a Cloud Security Superhero

Cloud vs. On-Premises Security: Can you afford not to switch?

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes

Introduction to ThousandEyes

Software as a Service

NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...

Realise True Business Value .pdf

Realize True Business Value With ThousandEyes

Realise True Business Value With ThousandEyes

Increasing Productivity with End-User Computing Solutions on AWS

AWS Webinar CZSK 02 Bezpecnost v AWS cloudu

SRV336_Build a Serverless, Face-Recognizing IoT Security System with Amazon R...

Introducing MongoDB Atlas

GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...

On-premise to Microsoft Azure Cloud Migration.

BIM Data for Owners - Sam Nseir

Mais de DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...

Gleb Cherbov - DBO Hacking — arch bugs in BSS

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a Gleb Cherbov - DBO Hacking — arch bugs in BSS

Semelhante a Gleb Cherbov - DBO Hacking — arch bugs in BSS (20)

Mais de DefconRussia

Mais de DefconRussia (20)

Último

Último (20)

Gleb Cherbov - DBO Hacking — arch bugs in BSS