With BIGDATA comes BIG responsibility: Practical exploiting of MDX injections

Presented at Black Hat USA 2013, July 31, 2013, 10:15 a.m. (60 minutes)

Let's take a look into the place where critical data is stored for further analytics afterwards. It's Business Warehouse (BW) and Big Data. Classic online transaction processing systems (OLTP) are not quite suitable to process big data, so they were replaced by OLAP with its multi-dimensional structures. This technology is present in almost all Business Intelligence applications including key vendors like Microsoft, Oracle, and SAP. All the critical corporate data in one place, well… isn't it a sweet target for an attacker?

The OLAP technology has brought a lot of new terms and concepts into the world: OLAP cube, measures, dimensions, XMLA, and the MDX language, which is used for requests to multi-dimensional data structures. In today's Business Intelligence (BI) marketplace, most OLAP servers and almost all BI clients talk in MDX. This talk will describe in detail all the entities of this technology and especially the MDX request language. The talk will also feature an overview of possible MDX-related attacks as well as an overview of code injection, data retrieval and update vectors.

Moreover, I will show some examples of the systems that can be exploited by MDX-related vulnerabilities, their system-related differences, post-exploitation vectors, and a cheat-sheet with a tool for simplifying MDX Injections.

Presenters:

• Alexander Bolshev - ERPScan
  Alexander is the senior IS auditor at ERPScan. He holds a Ph.D. in computer security. He works on mobile, distributed systems and industrial protocols security. He is the author of several whitepapers in topics of heuristic intrusion detection methods and SSRF attacks. Actively participates in the life of the Russian Defcon Group.
• Dmitry Chastuhin - ERPScan
  Dmitry is the director of Business Application Pentesting at ERPScan. He works on SAP security, particularly upon web applications and JAVA systems. He has official acknowledgements from SAP for the vulnerabilities he found. Dmitry is also a WEB 2.0 and social network security geek and a bug bounty hunter who has found several critical bugs in Yandex, Google, Nokia, Badoo. He is a contributor to the OWASP-EAS project. He spoke at the following conferences: Black Hat, Hack in the Box, ZeroNights, DeepSec, and BruCON. Actively participates in the life of the Russian Defcon Group.

Links:

• https://www.blackhat.com/us-13/archives.html#Chastuhin
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - With BIGDATA comes BIG responsibility - Practical exploiting of MDX injections.mp4
• https://www.youtube.com/watch?v=IYgeBpQl7Y8
• https://media.blackhat.com/us-13/US-13-Chastuhin-With-BIGDATA-comes-BIG-responsibility-Slides.pdf
• https://media.blackhat.com/us-13/US-13-Chastuhin-With-BIGDATA-comes-BIG-responsibility-WP.pdf

Similar Presentations:

• Black Hat USA 2021 / The Unbelievable Insecurity of the Big Data Stack: An Offensive Approach to Analyzing Huge and Complex Big Data Infrastructures
• DEF CON 29 (2021) / The Unbelievable Insecurity of the Big Data Stack: An Offensive Approach to Analyzing Huge and Complex Big Data Infrastructures
• Black Hat USA 2013 / Practical Pentesting of ERPs and Business Applications