Hacking Sap Businessobjects presented at OWASP BASC 2010

by Will Vandevanter (Rapid7 ), Joshua Abraham (Rapid7 ),

Tags: Security Application Security Exploitation Risk

URL : http://www.owasp.org/index.php/2010_BASC_Presentations

Summary : Business intelligence is a multi-billion industry. At the top of the product food chain is BusinessObjects. BusinessObjects is a very widely deployed business intelligence tool that’s focus is in managing, querying, analyzing, and reporting on business data. It is used by government entities (e.g. U.S Air Force), telecom companies (e.g. Verizon), car manufacturers (e.g. Nissan), and beverage companies (e.g. Coors) to retain and control vast amounts of data. If you are a penetration tester chances are you have run into at least one BusinessObjects server during an engagement. Yet, very few vulnerabilities have been publically released and, to the best of the authors knowledge, no white papers have been released on attack methodologies for BusinessObjects itself. In this presentation we will present the entire lifecycle of attacking a BusinessObjects server from external and internal enumeration (e.g. Google dorks), fingerprinting techniques, account enumeration vulnerabilities, specific attack vectors for gaining access to accounts, privilege escalation vulnerabilities, and eventually full system compromise vulnerabilities that we have found during our research. Anyone interesting in attacking an organization that has BusinessObjects or SOA deployed in their environment should attend this talk.

Will Vandevanter: Mr. Vandevanter joined Rapid7 in 2008. Will has IT Security experience with a focus in web application security and secure software engineering. Will specializes in penetration testing, web application security assessments, and secure code development. In the past Will has also worked on a few different Open Source security projects including porting SELinux to OpenMoko and other Linux based mobile platforms. Will holds a Bachelors Degree in Mathematics and Computer Science from McGill University and Masters Degree in Computer Science from James Madison University.