Pages

Friday, February 22, 2013

SAP Unknown Default Password for TMSADM


Authors: Dmitry Gutsko, Positive Research
SAP default passwords are nothing new. The top five default passwords are presented in many books and articles on security issues. One would hardly find anything new on this topic.
Carrying out SAP security audit for a client, we came across an unknown password of the user TMSADM. The password was displayed by the system itself: during the default accounts analysis, the following results were obtained in the known report RSUSR003.








The default password for TMSADM — PASSWORD — really is well known, but this is the first time I have seen the password $1Pawd2&. Let's sort it out...
The first thing that comes to your mind is to search on the Internet. Google gives two references. The SAP website, six. None of them clarifies the matter: the mysterious password is mainly discovered in published fragments of the ABAP code.


Apparently, we should look for the answers in the code. We open the source code of the report RSUSR003 and have no difficulty in finding the message we've seen on the screen before (message 028).













We also find default passwords hashes that are implemented to the program source text. Interestingly enough that there are two groups of hashes for the user TMSADM: one for the password PASSWORD and another for $1Pawd2&. Here they are (they might be useful for audit, penetration testing etc.).

*  EARLYWATCH
   lc_ewa 
TYPE xucode VALUE '13C810002A147DEE',
   lc_ewb 
TYPE xucode VALUE 'BD5E494D3ECBF5E2',
   lc_ewd 
TYPE xucode VALUE '573822832DF89B9C',
   lc_ewe 
TYPE xucode VALUE 'B3ADDFE95DCD036F',
   lc_ewf1 
TYPE hash160x VALUE '924127D88EE3C1820A2C88495EC4825E819C9249',
   lc_ewf2 
TYPE hash160x VALUE '760293CCD7AC111298A7AC70D3304242E442320F',
*  CPIC
   lc_cpa 
TYPE xucode VALUE 'FC49DBF6F3FDCF36',
   lc_cpb 
TYPE xucode VALUE '7D806C248F03813D',
   lc_cpd 
TYPE xucode VALUE '35C7AB28316EA22F',
   lc_cpe 
TYPE xucode VALUE '5A5F45726821A147',
   lc_cpf1 
TYPE hash160x VALUE '57CF364A7D83FA563025C7BCFFFB3B579DFB23F3',
   lc_cpf2 
TYPE hash160x VALUE '38AE55102813F3BBBC3B3BCA09285ED5A9E0423F',
*  DDIC
   lc_dda 
TYPE xucode VALUE '5FA752863FB70BA9',
   lc_ddb 
TYPE xucode VALUE '61D26428640DBAB5',
   lc_ddd 
TYPE xucode VALUE 'DCA44BB71C073A05',
   lc_dde 
TYPE xucode VALUE '08FA7683A46D9AA9',
   lc_ddf 
TYPE hash160x VALUE '905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45',
*  SAP*
   lc_saa 
TYPE xucode VALUE 'C75E6D9600AB5710',
   lc_sab 
TYPE xucode VALUE 'D0BFF4276DA1E208',
   lc_sad 
TYPE xucode VALUE 'A83ECB9EC4D34C08',
   lc_sae 
TYPE xucode VALUE '95984B6A25BA20E9',
   lc_saf 
TYPE hash160x VALUE '8948310AF768FA9061598E8F68FD144CE65B7480',
*  TMSADM (PW1)
   lc_tms1a 
TYPE xucode VALUE '7671D2F2729F27F0',
   lc_tms1b 
TYPE xucode VALUE '942B9DC0F2394D85',
   lc_tms1d 
TYPE xucode VALUE '7C6433CE69099272',
   lc_tms1e 
TYPE xucode VALUE '940BAB0E12A36DC2',
   lc_tms1  
TYPE hash160x VALUE 'C9AA19DA354DC8397D7AC8EA8B4C04DF49CB58FF',
*  TMSADM (PW2)
   lc_tms2a 
TYPE xucode VALUE '05CB79BE189802A0',
   lc_tms2b 
TYPE xucode VALUE 'B7E2F82C0A3E54C4',
   lc_tms2d 
TYPE xucode VALUE '4DD4438D3C19138C',
   lc_tms2e 
TYPE xucode VALUE 'D527A90BC0CAF484',
   lc_tms2  
TYPE hash160x VALUE 'A6BF38EE57F90B78C8D88A5212BBF1BA9A966ABB'

Note. There are 5 hashes for every account: one for every hashing algorithm used in SAP (A, B, D, E, F). Some accounts (CPIC, EARLYWATCH) each have two password hashes for the F algorithm: for passwords in upper and lower case.
Now we can remember that there was no information on the transport management system user TMSADM in previous versions of the RSUSR003 report. As we can see, there's no such account in the analysis results output.




Apparently, the report has recently been revised and new versions contain information on default passwords and TMSADM password. It has been revised... And a new unknown password has appeared. Checking. Let's see the very beginning of the source code: it usually has information on updates and amendments that were made.







The very last update of the source code is related to adding user checks. For more information let's see the note (issued in a month following the code changing, on April 27, 2011).






Everything is confirmed. In early 2011, SAP developers made changes to the report RSUSR003, added checks for the user TMSADM providing two possible passwords: PASSWORD and $1Pawd2&.

Conclusions we can draw: 
  1. While carrying out the SAP systems security audit, the existence of another default password for TMSADM should be taken into account. Make sure that the used password differs from the two default passwords. (Password $1Pawd2& was discovered in 2 of our test benches, so it can be easily found in your system.)
  2. Specialists responsible for the security of their own SAP systems should implement note 1552894 to make sure default passwords for the system users were changed, including the one for the user TMSADM.

15 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. SAP Security training is available in three dissimilar etiquette of tactics. Many individuals often select the training where they are being trained in the standard classrooms. Besides this kind, there are learners who believes internet or Online training of SAP Security readily overthrows the class-room one with regard to effectiveness. Though this difference of opinion about the categorisation is extremely comprehensible. And there's a small fraction of people that acquire
    sap security online training

    through complete reliance over diverse study resources, like outlines, notes, tapes etc. There are commendably high amount of tutorials and demonstrators available too within the net, as well as on various media libraries.

    The way as the outcome of the SAP Security instruction is considered, you shall be convincingly assured of its extraordinarily high advantageous nature and values. There isn't any second opinion the training could give a considerably welcomed boost to your professional livelihood. There is likely to be whole lot of IT jobs attainable for you 'at your toes'.

    ReplyDelete
  3. SAP security online training Protection is just a word you notice related to computers daily.
    Since many businesses are preserving sensitive enterprise information in data bases,
    someone needs to secure this information and oversee those who have use of it.


    http://hyderabadsys.com/sap-security-online-training/

    ReplyDelete

  4. SAP security online training Protection is just a word you notice related to computers daily.
    Since many businesses are preserving sensitive enterprise information in data bases,
    someone needs to secure this information and oversee those who have use of it.
    SAP is multinational software development company, and business consulting firm situated in Germany.

    sap security online training





    #201, NEAR BY RTA OFFICE,

    KONDAPUR, HITECH CITY,

    HYDERABAD,

    500084,

    INDIA.

    jerry

    hyderabad

    500084

    9030400777

    ReplyDelete
  5. We have two domains. Domain A has 3 systems, and domain B has 4 systems. We would like to link both domains. Domain A has the version 7.31 and domain B has version 701. If I use a new standard password in domain A it doesn’t work because they have different versions, so we have to program it with the old password so that we don’t have any problem.

    In domain A the user password TMSADM is standard and I would like to change it. Is there any way to program an own password in domain A keeping the old password in domain B so as everything will work correctly? If this is not an option, is there any way to program an own password in domain A and another own password in domain B, and have them work properly when linked? If any of these options is possible, I would thank you if you would explain how could I do it.

    Thank you.

    ReplyDelete
  6. Great Information admin thanks For Your Information and Any body wants
    learn SAP Security through Online for Details Please go through the Link

    Online SAP Security Training with free Demo class in USA | UK | INDIA | SINGAPORE

    This Will Helps you allot.

    ReplyDelete
  7. Great Information admin thanks For Your Information and Any body wants
    learn SAP Security through Online for Details Please go through the Link

    Online SAP Security Training with free Demo class in USA | UK | INDIA | SINGAPORE

    This Will Helps you allot.

    ReplyDelete
  8. Great Information admin thanks For Your Information and Any body wants
    learn SAP Security through Online for Details Please go through the Link

    Best Online SAP Security Training by IT Professional Trainers

    This Will Helps you aalot.

    ReplyDelete
  9. Great Information admin thanks For Your Information and Any body wants
    learn SAP Security through Online for Details Please go through the Link

    Best Online SAP Security Training by IT Professional Trainers

    This Will Helps you aalot.

    ReplyDelete
  10. Great Information admin thanks For Your Information and Any body wants
    learn SAP SNC through Online for Details Please go through the Link

    Best Online SAP SNC Training by IT Professional Trainers

    This Will Helps you aalot.

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. Great Information admin thanks For Your Information and Any body wants
    learn SAP Security through Online for Details Please go through the Link

    Online SAP Security Training with free Demo class in USA | UK | INDIA | SINGAPORE

    This Will Helps you allot.

    ReplyDelete
  13. Great Information admin thanks For Your Information and Any body wants
    learn SAP Security through Online for Details Please go through the Link

    Best Online SAP Security Training by IT Professional Trainers

    This Will Helps you aalot.

    ReplyDelete
  14. Great Information admin thanks For Your Information and Any body wants
    learn SAP Security through Online for Details Please go through the Link

    Best Online SAP Security Training by IT Professional Trainers

    This Will Helps you aalot.

    ReplyDelete