What do all Fortune-500 companies share in common? If you answered “they all have a lot of money”… you are right, they do. But there is more. Every medium to large organization across the world uses some type of critical application to process their most sensitive business information. These systems, known as ERPs, handle invoices and payments involving billions of dollars.
What would happen if attackers gain access to one of those systems?
We would probably hear in the news about another company that was hit by ransomware. But, in fact, it could be much worse. By understanding the post-exploitation vectors that apply to ERP’s, it would be possible to control one of the most important assets of an organization… their moneyYes, it’s money.
In this talk, we will present two critical vulnerabilities recently found during our assessment performed over Oracle’s ERP, using them to introduce the audience to the ERP’s post-exploitation world.
First, we will go over an unsafe Java deserialization vulnerability (CVE-2020-2586), that could allow an unauthenticated attacker to gain full control of the ERP’s database. With a live demo, we will show how this can be exploited in a meaningful way, altering the payment process and obtaining substantial profits out of it. All, without being detected and leaving no traces.
Next, using Java reflection and dynamic method invocation, we found it was possible to upload arbitrary files remotely, without any authentication, to the ERP system (CVE-2019-2775). Leveraging this vulnerability we will demonstrate how an attacker could trick the target system to print real cashable checks, and with a live demo! Again: all without raising any suspicion, and showing why getting a shell is the first step for an attacker that knows what ERPs are capable of.