[ISN] Fixing the back-door SAP-Oracle security hole

From: InfoSec News <alerts_at_private>
Date: Mon, 12 Apr 2010 00:24:23 -0500 (CDT)
http://www.infoworld.com/d/security-central/fixing-the-back-door-sap-oracle-security-hole-096

By Jeremy Kirk 
IDG News Service
April 09, 2010

At the Black Hat security conference next week, one presentation will 
focus on a way to insert a back door into SAP's ERP (enterprise resource 
planning) applications. SAP's business software is often the core of a 
company's operations and is used to manage invoicing, human resources, 
procurement, and billing, among many other functions.

SAP's software uses databases from companies such as Oracle, said 
Mariano Nuez Di Croce, director of research and development for Onapsis, 
a company that focuses on penetration testing for SAP systems and others 
such as Oracle's PeopleSoft and JD Edwards enterprise applications.

Many companies do not configure the Oracle database correctly, which 
makes the SAP system vulnerable to attack. "What we have found is, it is 
possible instead of modifying the program you can connect to the 
database and modify the code directly in the database," Nuez Di Croce 
said.

The problem with SAP and the Oracle database has been known for a few 
years, although Nuez Di Croce recently figured out how to slip a "back 
door" into a program in the database that can then send data to a remote 
hacker. Because the Oracle database does not conduct an integrity check 
of the source code, the attack would be difficult to detect.

[...]


___________________________________________________________
Register now for HITBSecConf2010 - Dubai, the premier 
deep-knowledge network security event in the GCC, 
featuring keynote speakers John Viega and Matt Watchinski! 
http://conference.hitb.org/hitbsecconf2010dxb/
Received on Sun Apr 11 2010 - 22:24:23 PDT

This archive was generated by hypermail 2.2.0 : Sun Apr 11 2010 - 22:34:56 PDT