Forgotten World: Corporate Business Application Systems presented at BlackHatDC 2011

by Alexander mikhailovich Polyakov, Val Smith,


Summary : Do you know where are all critical company data is stored? Do you know how easily you can be attacked by cybercriminals targeting this data? How can attacker sabotage or commit espionage against your company just having access to one system?
Amidst SCADA, Win 7, and the Cloud there is a type of critical system no one is talking about. Enterprise Resource Planning (ERP). All that is needed is to gain access to the corporate business application infrastructure, specifically systems such as ERP, Customer Relationship Management (CRM), and Supplier Relationship Management (SRM). If an attacker seeks to gather critical financial, personnel, or other sensitive data, these are the types of systems where it is stored. These systems are often also trusted and connected to other secure systems such as banking client workstations as well as SCADA systems.
These days most companies have strong security policies and patch management as it applies to standard networks and operating systems, but these rarely exist or are in place for ERP type systems. An attacker can bypass all of a companies investments in security by attacking an ERP system.
We will show examples of different custom business applications including custom as well as the more popular ones and previously unknown vulnerabilities that can be exploited to gain unauthorized access to critical business data. Many of these type vulnerabilities cannot be easily patched because they are design flaws or business logic problems requiring a redesign of the system.