Analyzing SAP Security Notes December 2013 Edition

SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month.

Simple Powershell Process Monitor for Fuzzing

While doing some fuzzing recently I ran into trouble with Sulley's ( process monitor. For those who are unfamilar, when fuzzing, the process monitor hooks into the target process and grabs valuable information in the case of a crash (e.g. register values). It's job is also to restart the process when it crashes. In my use case I was doing remote fuzzing of a network service. On the target system, the service I was fuzzing had to be started by another executable. Confused?

Abusing File Sending Privileges in BusinessObjects Launch Pad

One of the features of BusinessObjects Launch Pad (formerly InfoView) is the ability to send a file to another user. By default, there are no restrictions on the types of files that can be sent. This can be handy on a Penetration Test when you might have Guest privileges and like to target specific users (e.g. the Administrator Group). 1. Login to the InfoView application. Go to Documents tab, New > Local Document. Make sure to add a convincing description.

Don’t be hoisted by your own petard

In the closing stages of Victor Hugo’s Les Misérables the chief character, Jean Valjean, while carrying another key character seeks to evade the authorities. He does so by traveling through the sewers of Paris, while the search for him and other rebels is focused on the streets above him. In this way Valjean is able to use a critical but commonly forgotten part of the maintenance infrastructure of the city against the city itself.

A Simple Method for Fingerprinting SAP BusinessObjects

The main component of a BusinessObjects installation is the Central Management Server (CMS). It's rarely changed and default TCP port is 6400. A simple way to identify if you are communicating with a BusinessObjects installation is to make a socket connection to the remote server and send the string 'aps'. If everything is running correctly you should receive the IOR of the CMS.