1. Invest in security
to secure investments
Accounting hacking –
arch bugs in MS Dynamics GP
Alexey Tyurin
Director of consulting department in ERPScan

2. Alexey Tyurin
• Director of consulting in ERPScan
• XML/WEB/Win/Network security fun
• Hacked a lot of online banking systems
• Co-Organizer of Defcon Russia Group
• Editor of “EasyHack” column for the “Xakep” magazine
@antyurin
erpscan.com
ERPScan — invest in security to secure investments
2

3. MS
erpscan.com
ERPScan — invest in security to secure investments
3

4. MS
erpscan.com
ERPScan — invest in security to secure investments
4

5. MS
erpscan.com
ERPScan — invest in security to secure investments
5

6. MS
erpscan.com
ERPScan — invest in security to secure investments
6

7. MS
erpscan.com
ERPScan — invest in security to secure investments
7

8. What is it?
•
•
Microsoft Dynamics GP is ERP or accounting software
Many implementations: about 430000 companies
Img from http://www.calszone.com
erpscan.com
ERPScan — invest in security to secure investments
8

9. Architecture
Based on www.securestate.com/Downloads/whitepaper/Cash-Is-King.pdf
erpscan.com
ERPScan — invest in security to secure investments
9

10. Features
•
Fat client
•
Web is only for info and reporting
•
Dexterity language
•
The security depends on the
security of SQL Server
•
Microsoft Dynamics GP does not
integrate with Active Directory
erpscan.com
ERPScan — invest in security to secure investments
10

11. Security
Role model:
• Security Tasks
• Security Roles
• Users
Features:
• sa
• DYNSA
• DYNGRP
• System password
• SQL users
erpscan.com
ERPScan — invest in security to secure investments
11

12. inSecurity
• All the security of Dynamics relies on the visual restrictions of
the fat client
• In fact, all users have the rights to the companies’ databases
and to DYNAMICS
• The only obstruction: impossible to connect to the SQL server
directly (encryption +encryption). How to bypass it?
erpscan.com
ERPScan — invest in security to secure investments
12

13. inSecurity
• Reverse engineering to understand the password “encryption”
algorithm
• A MitM attack on ourselves
MS SQL server does not encrypt the process of authentication af
a few bytes are replaced upon connection!
* The method itself is described and implemented into a Metasploit Framework
module that works like a charm:
http://f0rki.at/microsoft-sql-server-downgrade-attack.html
** It is a feature, not a bug, and Microsoft is not going to correct it
erpscan.com
ERPScan — invest in security to secure investments
13

14. What’s next?
• Full access to the company’s information in the database
For example, privilege escalation. But a research called “Cash is King” describes
subtler methods:
http://marketing.securestate.com/cash-is-king-download-our-free-whitepaper
• Attack on OS
For example, if the SQL server is launched under a privileged user account, we
can initiate a connection to our host using stored procedures (xp_dirtree)
because we have the rights of the “public” role. The result will be a hash which
can be used in a bruteforce attack.
If Dynamics GP uses a cluster of SQL servers (it happens sometimes), we can
conduct an SMB Relay attack on the same server (MS08-068 will not work here).
The result will be a shell on the cluster :)
erpscan.com
ERPScan — invest in security to secure investments
14

15. DEMO
erpscan.com
ERPScan — invest in security to secure investments
15

16. Greetz to our crew who helped