Home » BusinessObjects, SAP » SOURCE Barcelona 2010: Hacking SAP BusinessObjects

0
Print Friendly, PDF & Email

Speakers: Josh Abraham, Rapid7 & Will Vandevanter, Rapid7

Business intelligence is a multi-billion dollar/euro industry. At the top of the product food chain is BusinessObjects. BusinessObjects is a very widely deployed business intelligence tool thats focus is in managing, querying, analyzing, and reporting on business data. It is used by government entities (e.g. U.S Air Force), telecom companies (e.g. Verizon), car manufacturers (e.g. Nissan), and beverage companies (e.g. Coors) to retain and control vast amounts of data. If you are a penetration tester chances are you have run into at least one BusinessObjects server during an engagement. Yet, very few vulnerabilities have been publically released and, to the best of the authors knowledge, no white papers have been released on attack methodologies for BusinessObjects itself. In this presentation we will present the entire lifecycle of attacking a BusinessObjects server from external and internal enumeration (e.g. Google dorks), fingerprinting techniques, account enumeration vulnerabilities, specific attack vectors for gaining access to accounts, privilege escalation vulnerabilities, and eventually full system compromise vulnerabilities that we have found during our research. Anyone defending or attacking an organization that has BusinessObjects deployed in their environment should attend this talk.

Joshua “Jabra” Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. In the past, he has spoken at BlackHat, DefCon, ShmooCon, Infosec World, CSI, OWASP Conferences, and the SANS Pentest Summit. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ.

Second speaker Will Vandevanter (Security Researcher) Mr. Vandevanter joined Rapid7 in 2008. Will has IT Security experience with a focus in web application security and secure software engineering. Will specializes in penetration testing, web application security assessments, and secure code development. In the past Will has also worked on a few different Open Source security projects including porting SELinux to OpenMoko and other Linux based mobile platforms. Will holds a Bachelors Degree in Mathematics and Computer Science from McGill University and Masters Degree in Computer Science from James Madison University.

« « Quiksilver Selects Industry Solution from SAP| Upcoming Webinars – TDWI » »

Leave a Reply