ERP Security: How hackers can open the safe and take the jewels presented at ekoparty 2013

by Ezequiel D. Gutesman, Jordan Santarsieri,

Summary : The largest organizations of the world run their businesses thanks to ERP (Enterprise Resource Planning) systems. In order to comply with government regulations, anti-fraud laws and industry-specific requirements (such as NERC, PCI or HIPAA), security practices are often limited to apply segregation of duties and user access controls. Over the last few years, vulnerability-focused attacks and technical weaknesses in the implementation of ERP systems gained attention. These revealed a wide and unexplored attack surface, waiting for attackers to take advantage of. The ERP market is well delimited and split among a few big players. These vendors supply the ERP solutions to hundreds of government and military agencies and thousands of enterprises in a wide variety of industries. In this talk we will discuss the attack surface exposed by the most widely-deployed ERP systems and will perform several live demonstrations of attacks we often perform while executing ERP Penetration Tests. We will focus our attention on leading ERP and business-critical systems: SAP, Oracle Siebel and Oracle JD Edwards. We will analyze how through the exploitation of technical vulnerabilities it is possible for attackers to target the crown jewels and critical processes of the victim organizations, resulting in espionage, sabotage and financial fraud.