[NEWS] SAP R/3 Default Password Vulnerability

From: support@securiteam.com
Date: 08/26/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 26 Aug 2002 22:23:33 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  SAP R/3 Default Password Vulnerability
------------------------------------------------------------------------

SUMMARY

SAP R/3 ships with four default user accounts that are protected with
commonly known passwords. These user accounts are equipped with super- or
power user access rights.

As many ERP software packages SAP R/3 is capable of installing different
"clients" in order to separate data. Each client has its own user account
management therefore the logon information consists of three different
components: username, password, and client-number. The default user
accounts are installed in _every_ client.

Whereas the default passwords are normally changed in production clients,
they are often left unchanged in the non-production (system-) clients that
are available in each default installation.

Although SAP AG recommends changing the default passwords (see [1]), we
have found many installations - even on the Internet - that are still
vulnerable to this attack.

DETAILS

Affected versions:
 * All SAP R/3 releases since 2.0B(?) up to 4.6D with unchanged default
passwords

Detailed analysis:
A typical SAP R/3 installation consists of at least 4 clients. Three of
them are base SAP R/3 clients that should be in every SAP instance. These
are SAP R/3 pre-delivered clients that can/should never be modified under
any circumstances:

000 SAP R/3 (base image, used for release changes, updates, and special
customizing tasks)
001 Auslieferungmandant R11 (a copy of client 000)
066 EarlyWatch (used for technical monitoring by SAP AG)

At least one additional client has to be available to act as the
production client. Additional production and/or testing and development
clients may be available. The client-ID has to be chosen between 002 and
999 (omitting 066).

Each client has its own user account management therefore the logon
information consists of three different components: username, password,
and client-number. The following default users are implemented into every
client (000, 001, 066 and all other clients - default passwords in
brackets):

SAP* (06071992)
SAPCPIC (ADMIN)
DDIC (19920706)

In client 066 (sometimes, but not always, also existing in the other
clients) there is the additional default user EARLYWATCH (password
SUPPORT).

Also note that once you delete SAP* the user is automatically "reborn"
with the password PASS unless the system in explicitly configured not to
do so.

Depending on your installation, also the user TMSADM (used in the
Transport Management System) may be present.

The users SAP* and DDIC are online users provided with super user access
rights; they can read and modify all data in the given client.
Furthermore, they are also able to access and modify certain data in the
other clients, especially data in production clients. By using
cross-client, table modifications they may be used to alter data
structures resulting in a system inconsistency (call it a "denial of
service"-condition). A very worthwhile target are SAP* and DDIC in client
000.

EARLYWATCH is also an online user, but with restricted system access
rights.

The user SAPCPIC is not an online user, so it cannot be used to log onto
the system in online mode. Nevertheless, it is also critical as it may be
used to execute RFC commands originating from other R/3-systems (Remote
Function Calls - it is beyond the scope of this document to describe the
usage and the dangers resulting from RFC).

A special graphical user interface (SAP-GUI) is needed to connect to SAP
R/3 systems. A Linux version is freely available (see [2] for instructions
on how to install SAP-GUI for SuSE Linux). The logon screen can be invoked
by using the command

guistart /H/<IP>/S/<port>

Where <IP> = SAP R/3 application server and <port> = port number SAP is
listening at.

SAP R/3 application servers and thus SAP R/3 systems can be identified by
port scanning for port 3200. Although the system can be configured to
listen to an arbitrary port this is not seen very often in the wild, so
3200 is a very good try indeed.

Other vulnerabilities are present for SAP database servers (see [3] -
German only), but they are not affected by this vulnerability.

Workaround / Solution:
The protection of special users is described in detail at [4].

ADDITIONAL INFORMATION

References:
[1] <https://www.sap-ag.de/securityguide>
https://www.sap-ag.de/securityguide (access restrictions of SAG AG apply)

[2] <http://sdb.suse.de/en/sdb/html/sapgui.html>
http://sdb.suse.de/en/sdb/html/sapgui.html
 
[3] <http://www.lan-ks.de/~jochen/sap-r3/ora-hack.html>
http://www.lan-ks.de/~jochen/sap-r3/ora-hack.html

[4]
<http://help.sap.com/saphelp_45b/helpdata/en/52/671785439b11d1896f0000e8322d00/content.htm> http://help.sap.com/saphelp_45b/helpdata/en/52/671785439b11d1896f0000e8322d00/content.htm

[5] <http://www.hoelzner.de/security/sap_default_passwords.php>
http://www.hoelzner.de/security/sap_default_passwords.php (a copy of this
posting, but hopefully maintained with additional and revised information
in the future...)

The information has been provided by <mailto:shoelzner@cityweb.de> Stefan
Hoelzner.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages