Hacking SAP BusinessObjects



Registration | Hotel | Walter E. Washington Convention Center

The presentation
Business intelligence is a multi-billion industry. At the top of the product food chain is BusinessObjects. BusinessObjects is a very widely deployed business intelligence tool that’s focus is in managing, querying, analyzing, and reporting on business data. It is used by government entities (e.g. U.S Air Force), telecom companies (e.g. Verizon), car manufacturers (e.g. Nissan), and beverage companies (e.g. Coors) to retain and control vast amounts of data. If you are a penetration tester chances are you have run into at least one BusinessObjects server during an engagement. Yet, very few vulnerabilities have been publically released and, to the best of the authors knowledge, no white papers have been released on attack methodologies for BusinessObjects itself. In this presentation we will present the entire lifecycle of attacking a BusinessObjects server from external and internal enumeration (e.g. Google dorks), fingerprinting techniques, account enumeration vulnerabilities, specific attack vectors for gaining access to accounts, privilege escalation vulnerabilities, and eventually full system compromise vulnerabilities that we have found during our research. Anyone interesting in attacking an organization that has BusinessObjects or SOA deployed in their environment should attend this talk.

Joshua Abraham
Joshua “Jabra” Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. He has spoken at BlackHat, DefCon, ShmooCon, The SANS Pentest Summit, Infosec World, CSI, OWASP Conferences, LinuxWorld, Comdex and BLUG. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ. He is frequently quoted in the media regarding Microsoft Patch Tuesday and web application security by ComputerWorld, DarkReading and SC Magazine.