27th Aug 2002 [SBWID-5663]
COMMAND
SAP R/3 default password vulnerability
SYSTEMS AFFECTED
All SAP R/3 releases since 2.0B(?) up to 4.6D with unchanged default
passwords
PROBLEM
Stefan Hoelzner [shoelzner@cityweb.de] says :
--snipp--
A typical SAP R/3 installation consists of at least 4 clients. Three of
them are base SAP R/3 clients that should be in every SAP instance.
These are SAP R/3 pre-delivered clients that can/should never be
modified under any circumstances:
000 SAP R/3 (base image, used for release changes, updates and special
customizing tasks) 001 Auslieferungmandant R11 (a copy of client 000)
066 EarlyWatch (used for technical monitoring by SAP AG)
At least one additional client has to be available to act as the
production client. Additional production and/or testing and development
clients may be available. The client-ID has to be chosen between 002
and 999 (omitting 066).
Each client has its own user account management, therefore the logon
information consists of three different components: username, password
and client-number. The following default users are implemented into
every client (000, 001, 066 and all other clients - default passwords
in brackets):
SAP* (06071992) SAPCPIC (ADMIN) DDIC (19920706)
In client 066 (sometimes, but not always, also existing in the other
clients) there is the additional default user EARLYWATCH (password
SUPPORT).
Also note that once you delete SAP* the user is automatically "reborn"
with the password PASS unless the system in explicitly configured not
to do so.
Depending on your installation also the user TMSADM (used in the
Transport Management System) may be present.
The users SAP* and DDIC are online users provided with super user
access rights; they can read and modify all data in the given client.
Furthermore, they are also able to access and modify certain data in
the other clients, especially data in production clients. By using
cross-client table modifications they may be used to alter data
structures resulting in a system inconsistency (call it a "denial of
service"-condition). A very worthwhile target are SAP* and DDIC in
client 000.
EARLYWATCH is also an online user, but with restricted system access
rights.
The user SAPCPIC is not an online user, so it cannot be used to log
onto the system in online mode. Nevertheless, it is also critical as it
may be used to execute RFC commands originating from other R/3-systems
(Remote Function Calls - it is beyond the scope of this document to
describe the usage and the dangers resulting from RFC).
A special graphical user interface (SAP-GUI) is needed to connect to
SAP R/3 systems. A Linux version is freely available (see [2] for
instructions on how to install SAP-GUI for SuSE Linux). The logon
screen can be invoked by using the command
guistart /H/<IP>/S/<port>
where <IP> = SAP R/3 application server and <port> = port number
SAP is listening at.
SAP R/3 application servers and thus SAP R/3 systems can be identified
by port scanning for port 3200. Although the system can be configured
to listen to an arbitrary port this is not seen very often in the wild,
so 3200 is a very good try indeed.
Other vulnerabilities are present for SAP database servers (see [3] -
German only), but they are not affected by this vulnerability.
--snipp--
SOLUTION
See section [4] below for recommandation
References
==========
[1] https://www.sap-ag.de/securityguide (access restrictions of SAG AG apply)
[2] http://sdb.suse.de/en/sdb/html/sapgui.html
[3] http://www.lan-ks.de/~jochen/sap-r3/ora-hack.html
[4] http://help.sap.com/saphelp_45b/helpdata/en/52/671785439b11d1896f0000e8322d00/content.htm
[5] http://www.hoelzner.de/security/sap_default_passwords.php
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
