OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[ISN] Fixing the back-door SAP-Oracle security hole

From: InfoSec News (alertsinfosecnews.org)
Date: Mon Apr 12 2010 - 00:24:23 CDT


http://www.infoworld.com/d/security-central/fixing-the-back-door-sap-oracle-security-hole-096

By Jeremy Kirk
IDG News Service
April 09, 2010

At the Black Hat security conference next week, one presentation will
focus on a way to insert a back door into SAP's ERP (enterprise resource
planning) applications. SAP's business software is often the core of a
company's operations and is used to manage invoicing, human resources,
procurement, and billing, among many other functions.

SAP's software uses databases from companies such as Oracle, said
Mariano Nuez Di Croce, director of research and development for Onapsis,
a company that focuses on penetration testing for SAP systems and others
such as Oracle's PeopleSoft and JD Edwards enterprise applications.

Many companies do not configure the Oracle database correctly, which
makes the SAP system vulnerable to attack. "What we have found is, it is
possible instead of modifying the program you can connect to the
database and modify the code directly in the database," Nuez Di Croce
said.

The problem with SAP and the Oracle database has been known for a few
years, although Nuez Di Croce recently figured out how to slip a "back
door" into a program in the database that can then send data to a remote
hacker. Because the Oracle database does not conduct an integrity check
of the source code, the attack would be difficult to detect.

[...]

___________________________________________________________
Register now for HITBSecConf2010 - Dubai, the premier
deep-knowledge network security event in the GCC,
featuring keynote speakers John Viega and Matt Watchinski!
http://conference.hitb.org/hitbsecconf2010dxb/