Abusing File Sending Privileges in BusinessObjects Launch Pad
One of the features of BusinessObjects Launch Pad (formerly InfoView) is the ability to send a file to another user. By default, there are no restrictions on the types of files that can be sent. This can be handy on a Penetration Test when you might have Guest privileges and like to target specific users (e.g. the Administrator Group). 1. Login to the InfoView application. Go to Documents tab, New > Local Document. Make sure to add a convincing description.
2. Right click on the file and go to Send > 'BI Inbox' . Select who the file will be sent to. Notice, in the screenshot below we have selected the Administrators group. The 'Use Specific Name' field at the bottom can be used to rename the file. In this case we rename the file to ImportantDocument.zip (a similarly agnostic file type). In the third screenshot we show the file arriving with the title ImportantDocument.zip (rather than SuperSweetPayload.exe as it was originally named).
A Note on Defense: An administrator can limit the types of files that can be uploaded using the CMC. In particular, limit the “Agnostic” file type to prevent executables.