Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Oracle :: orac5663.htm

SAP R/3 Default Password



27th Aug 2002 [SBWID-5663]
COMMAND

	
		SAP R/3 default password vulnerability
	
	

SYSTEMS AFFECTED

	
		All SAP R/3 releases since 2.0B(?) up to  4.6D  with  unchanged  default
		passwords
	
	

PROBLEM

	
		Stefan Hoelzner [shoelzner@cityweb.de] says :
		

		--snipp--
		

		A typical SAP R/3 installation consists of at least 4 clients. Three  of
		them are base SAP R/3 clients that should  be  in  every  SAP  instance.
		These are  SAP  R/3  pre-delivered  clients  that  can/should  never  be
		modified under any circumstances:
		

		000 SAP R/3 (base image, used for release changes, updates  and  special
		customizing tasks) 001 Auslieferungmandant R11 (a copy  of  client  000)
		066 EarlyWatch (used for technical monitoring by SAP AG)
		

		At least one additional client  has  to  be  available  to  act  as  the
		production client. Additional production and/or testing and  development
		clients may be available. The client-ID has to  be  chosen  between  002
		and 999 (omitting 066).
		

		Each client has its own user account  management,  therefore  the  logon
		information consists of three different components:  username,  password
		and client-number. The following  default  users  are  implemented  into
		every client (000, 001, 066 and all other clients  -  default  passwords
		in brackets):
		

		SAP* (06071992) SAPCPIC (ADMIN) DDIC (19920706)
		

		In client 066 (sometimes, but not always, also  existing  in  the  other
		clients) there is  the  additional  default  user  EARLYWATCH  (password
		SUPPORT).
		

		Also note that once you delete SAP* the user is  automatically  "reborn"
		with the password PASS unless the system in  explicitly  configured  not
		to do so.
		

		Depending on your  installation  also  the  user  TMSADM  (used  in  the
		Transport Management System) may be present.
		

		The users SAP* and DDIC  are  online  users  provided  with  super  user
		access rights; they can read and modify all data in  the  given  client.
		Furthermore, they are also able to access and  modify  certain  data  in
		the other clients, especially  data  in  production  clients.  By  using
		cross-client  table  modifications  they  may  be  used  to  alter  data
		structures resulting in a system inconsistency (call  it  a  "denial  of
		service"-condition). A very worthwhile  target  are  SAP*  and  DDIC  in
		client 000.
		

		EARLYWATCH is also an online user, but  with  restricted  system  access
		rights.
		

		The user SAPCPIC is not an online user, so it  cannot  be  used  to  log
		onto the system in online mode. Nevertheless, it is also critical as  it
		may be used to execute RFC commands originating from  other  R/3-systems
		(Remote Function Calls - it is beyond the  scope  of  this  document  to
		describe the usage and the dangers resulting from RFC).
		

		A special graphical user interface (SAP-GUI) is  needed  to  connect  to
		SAP R/3 systems. A Linux  version  is  freely  available  (see  [2]  for
		instructions on how to  install  SAP-GUI  for  SuSE  Linux).  The  logon
		screen can be invoked by using the command
		

		guistart /H/<IP>/S/<port>
		

		where <IP> = SAP R/3 application server and <port> =  port  number
		SAP is listening at.
		

		SAP R/3 application servers and thus SAP R/3 systems can  be  identified
		by port scanning for port 3200. Although the system  can  be  configured
		to listen to an arbitrary port this is not seen very often in the  wild,
		so 3200 is a very good try indeed.
		

		Other vulnerabilities are present for SAP database servers  (see  [3]  -
		German only), but they are not affected by this vulnerability.
		

		--snipp--
	
	

SOLUTION

	
		See section [4] below for recommandation
		

		 References

		 ==========

		

		[1] https://www.sap-ag.de/securityguide (access restrictions of SAG AG apply)

		[2] http://sdb.suse.de/en/sdb/html/sapgui.html 

		[3] http://www.lan-ks.de/~jochen/sap-r3/ora-hack.html

		[4] http://help.sap.com/saphelp_45b/helpdata/en/52/671785439b11d1896f0000e8322d00/content.htm

		[5] http://www.hoelzner.de/security/sap_default_passwords.php

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH