2011 Predictions

December 17, 2010

Here are my predictions for 2011 in no particular order:

  • Microsoft will release > 100 bulletins.
  • W3C will finish the HTML v5 spec. It will still have tons of attack vectors which attackers will start to use.
  • Adobe will continues to a primary attack vector for malicious attackers.
  • SQL Injection and Cross Site Scripting won’t be killed for at least another 3-5 years.
  • There will be another major DDoS incident similar to (Iran’s elections in 2009 and Wikileaks issues in 2010).
  • IE 6 will still be used by organizations that use webapps which require it.
  • Someone will release an Android exploits framework.
  • The Celtics beat the Lakers in 7 games to win the NBA Championship.
  • The Miami Heat are still 3 years away from winning the NBA Championship.
  • The RedSox beat the Phillies in 6 games to win the World Series.
  • The Patriots beat the Atlanta Falcons to win the Superbowl.
  • The Boston Bruins don’t make the playoffs.

Internal Port Scanning via Crystal Reports

December 2, 2010

Another fun attack that willis and I found during our SAP BusinessObjects research is that we could do internal port scanning by using Crystal Reports.

The way this works is that when you browse to a Crystal Reports web application (http://hostname/CrystalReports/viewrpt.cwr) there are a few parameters which are used to communicate with the SAP services on the backend. The problem here is that these parameters are controlled by the user. Now a better way to do this is to provide a drop-down list or make all the configurations done by the server.

Now the user can modify the IP and port which the web application is trying to communicate with on the backend. By default the port is 6400. Now the ability to modify the IP and port is good. The next step is to map the responses to open and closed so that we could programmatically map out the internal network.

Here are a few nice Google Dorks:
filetype:cwr inurl:apstoken

Here is the resulting mapping :


Port Open Response:
# Unable to open a socket to talk to CMS $HOSTNAME:445 (FWM 01005)


Port Closed Response :
# Server $HOSTNAME:80 not found or server may be down (FWM 01003)

Lastly the only thing we need to do is to modify the IP and port to whatever we are trying to scan. This is faster than using BeEF’s JavaScript internal portscanning functionality and it doesn’t require client interaction. Pwn dem v0hns!