Stupid mistakes. Architecture and business logic vulnerabilities

No ratings

Presented at CONfidenceTwo 2010 by

Alexey Sintsov

Alexandr Polyakov

Vulnerabilities in architecture and business logic of software are very popular according to different researches (trustwave report – logical flows 2nd place) and they cannot be easily found by program methods. So logical vulnerabilities it is still state of art and there are still very stupid mistakes in business logic that can be used to gain full access to vulnerable application. We will show a real history of one popular industrial RDBMS and some their vulnerabilities that was found doing our enterprise application security assessment. The vulnerability is pretty funny and it is still cannot be patched so the talk will describe all history from founding, reverse engineering, exploit development, communication with vendor (of cause very funny). Finally we will show that this RDBMS is using in many specialized Health and Retail program complexes in companies for Fortune Global 500.