View
509
Download
2
Category
Preview:
DESCRIPTION
Citation preview
Arch bugs in BSS
Gleb CherbovSecurity ResearcherDigital Security (ERPScan)
© 2002—2013, Digital Security
Banking
2
Arch bugs in BSS
© 2002—2013, Digital Security
3
Arch bugs in BSS
Internet banking. Client side
© 2002—2013, Digital Security
How it worx
4
Arch bugs in BSS
ABS
WEB Server + App ServerDBMS
OperatorOperator’s environment
© 2002—2013, Digital Security
How it worx
5
Arch bugs in BSS
ABS
WEB Server + App ServerDBMS
OperatorOperator’s environment
© 2002—2013, Digital Security
How it worx
6
Arch bugs in BSS
ABS
WEB Server + App ServerDBMS
OperatorOperator’s environment
© 2002—2013, Digital Security
How it worx
7
Arch bugs in BSS
ABS
WEB Server + App ServerDBMS
OperatorOperator’s environment
© 2002—2013, Digital Security
Select a target
8
Arch bugs in BSS
ABS
WEB Server + App ServerDBMS
OperatorOperator’s environment
SQL injection
Insider attack
© 2002—2013, Digital Security
Select a target
9
Arch bugs in BSS
ABS
WEB Server + App ServerDBMS
OperatorOperator’s environment
© 2002—2013, Digital Security
Select a target
10
Arch bugs in BSS
ABS
WEB Server + App ServerDBMS
OperatorOperator’s environment
© 2002—2013, Digital Security
11
Arch bugs in BSS
Operator’s environmentOperator DBMS
oper_loginoper_pass
dbo_admin
Authentication
© 2002—2013, Digital Security
12
Arch bugs in BSS
• dbo_admin is the only account at DBMS• dbo_admin has full access• every operator can connect to DBMS directly• oper auth on app side
Dbo_admin
© 2002—2013, Digital Security
13
Arch bugs in BSS
dbo_admin password is encrypted
Lookin’ for a passwd
and stored in a .cfg file near the app
© 2002—2013, Digital Security
14
Arch bugs in BSS
Quote
“it’s impossible to decrypt it” (c) BSS support
© 2002—2013, Digital Security
15
Arch bugs in BSS
Let’s take a look
RSA modulus
RSA private exp
Unusual base64 alphabet
© 2002—2013, Digital Security
16
Arch bugs in BSS
Let’s take a look
Well… looks like base64?
© 2002—2013, Digital Security
17
Arch bugs in BSS
Also…
Innovative password storage widely used in BSS products
With the same hardcoded RSA key
© 2002—2013, Digital Security
Malware
18
Arch bugs in BSS
ABS
WEB Server + App ServerDBMS
OperatorOperator’s environment
Get conf file
Decrypt dbo_admin pass
Wreak havoc
© 2002—2013, Digital Security
19
Arch bugs in BSS
Attack vector?
•Insider
•Targeted attack
•Malware
© 2002—2013, Digital Security
20
Arch bugs in BSS
Tricky data manipulations
Digital Security in Moscow: +7 (495) 223-07-86
Digital Security in Saint Petersburg: +7 (812) 703-15-47
Questions?
www.dsec.ruwww.erpscan.com
info@dsec.ru
Recommended