Jackpotting Fortune-500 Treasuries

Explore critical vulnerabilities in Enterprise Resource Planning (ERP) systems and their potential for financial exploitation in this conference talk from the Hack In The Box Security Conference. Dive into the world of ERP post-exploitation, focusing on Oracle's ERP system, and discover how attackers could manipulate payment processes for substantial profits. Learn about two recently discovered vulnerabilities: an unsafe Java deserialization vulnerability (CVE-2020-2586) allowing unauthenticated database control, and a file upload vulnerability (CVE-2019-2775) enabling remote file uploads without authentication. Witness live demonstrations of altering payment processes and printing cashable checks without detection, highlighting the importance of understanding ERP security for protecting Fortune 500 companies' most critical financial assets.

Intro
About Presenters
Agenda • ERP systems and Financial applications
Motivation Looking for profit?
ERP Systems What is an Enterprise Resource Planning system?
Expectation
ERP as a Target
Oracle EBS
TCF Vulnerability
ERP Payments
E-Business Suit Payments
Wire Transfer Attack
E-Business Suite Payment module
Arbitrary File Upload
Uploading CGI Perl Script
E-Business Suite checks
E-Business Suite Payments module