Bio: Alexey Sintsov was born in 1985 then graduated in 2008 from Saint-Petersburg State Polytechnical University, faculty of computer science. Now he is working at Digital Security, the leading IT security company in Russia. He perfom security audits, penetration tests and security research for Digital Security Research Group. He also write articles for XAKEP magazine and lead there the “Exploits Review” column. He has been posting vulnerabilties at bugtraq mailing list since 2001 and have found several 0-days in Russian internet-bank systems (private works). Speaker in conferences: HITB, CONFidence, and many Russian conferences. His public works: http://www.exploit-db.com/author/Alexey%20Sintsov.
Topic of Presentation: Stupid mistakes. Architecture and business logic vulnerabilities.
Abstract: Vulnerabilities in architecture and business logic of software are very popular according to different researches (trustwave report – logical flows 2nd place) and they cannot be easily found by program methods. So logical vulnerabilities it is still state of art and there are still very stupid mistakes in business logic that can be used to gain full access to vulnerable application. We will show a real history of one popular industrial RDBMS and some their vulnerabilities that was found doing our enterprise application security assessment.
The vulnerability is pretty funny and it is still cannot be patched so the talk will describe all history from founding, reverse engineering, exploit development, communication with vendor (of cause very funny). Finally we will show that this RDBMS is using in many specialized Health and Retail program complexes in companies for Fortune Global 500.