SOURCE Barcelona 2010: Hacking SAP BusinessObjects

Speakers: Josh Abraham, Rapid7 & Will Vandevanter, Rapid7 Business intelligence is a multi-billion dollar/euro industry. At the top of the product food chain is BusinessObjects. BusinessObjects is a very widely deployed business intelligence tool thats focus is in managing, querying, analyzing, and reporting on business data. It is used by government entities (eg US Air Force), telecom companies (eg Verizon), car manufacturers (eg Nissan), and beverage companies (eg Coors) to retain and control vast amounts of data. If you are a penetration tester chances are you have run into at least one BusinessObjects server during an engagement. Yet, very few vulnerabilities have been publically released and, to the best of the authors knowledge, no white papers have been released on attack methodologies for BusinessObjects itself. In this presentation we will present the entire lifecycle of attacking a BusinessObjects server from external and internal enumeration (eg Google dorks), fingerprinting techniques, account enumeration vulnerabilities, specific attack vectors for gaining access to accounts, privilege escalation vulnerabilities, and eventually full system compromise vulnerabilities that we have found during our research. Anyone defending or attacking an organization that has BusinessObjects deployed in their environment should attend this talk. Joshua “Jabra” Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has extensive IT Security and Auditing experience and