Analyzing SAP Security Notes January 2014 Edition

SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month.

The Ignored World of SAP Cyber Security: How organizations are waking up to attacks targeting their SAP cyber-layer

By now I am sure you have seen the public posting with details and a how-to guide regarding an exploitable SAP vulnerability in a major organizations’ internet facing website. It is always disheartening to see a company exposed in this way.

Analyzing SAP Security Notes December 2013 Edition

SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month.

Simple Powershell Process Monitor for Fuzzing

While doing some fuzzing recently I ran into trouble with Sulley's (https://github.com/OpenRCE/sulley) process monitor. For those who are unfamilar, when fuzzing, the process monitor hooks into the target process and grabs valuable information in the case of a crash (e.g. register values). It's job is also to restart the process when it crashes. In my use case I was doing remote fuzzing of a network service. On the target system, the service I was fuzzing had to be started by another executable. Confused?

Abusing File Sending Privileges in BusinessObjects Launch Pad

One of the features of BusinessObjects Launch Pad (formerly InfoView) is the ability to send a file to another user. By default, there are no restrictions on the types of files that can be sent. This can be handy on a Penetration Test when you might have Guest privileges and like to target specific users (e.g. the Administrator Group). 1. Login to the InfoView application. Go to Documents tab, New > Local Document. Make sure to add a convincing description.

Pages