Friday, February 22, 2013

SAP Unknown Default Password for TMSADM

Authors: Dmitry Gutsko, Positive Research
SAP default passwords are nothing new. The top five default passwords are presented in many books and articles on security issues. One would hardly find anything new on this topic.
Carrying out SAP security audit for a client, we came across an unknown password of the user TMSADM. The password was displayed by the system itself: during the default accounts analysis, the following results were obtained in the known report RSUSR003.

The default password for TMSADM — PASSWORD — really is well known, but this is the first time I have seen the password $1Pawd2&. Let's sort it out...
The first thing that comes to your mind is to search on the Internet. Google gives two references. The SAP website, six. None of them clarifies the matter: the mysterious password is mainly discovered in published fragments of the ABAP code.

Apparently, we should look for the answers in the code. We open the source code of the report RSUSR003 and have no difficulty in finding the message we've seen on the screen before (message 028).

We also find default passwords hashes that are implemented to the program source text. Interestingly enough that there are two groups of hashes for the user TMSADM: one for the password PASSWORD and another for $1Pawd2&. Here they are (they might be useful for audit, penetration testing etc.).

TYPE xucode VALUE '13C810002A147DEE',
TYPE xucode VALUE 'BD5E494D3ECBF5E2',
TYPE xucode VALUE '573822832DF89B9C',
TYPE hash160x VALUE '924127D88EE3C1820A2C88495EC4825E819C9249',
TYPE hash160x VALUE '760293CCD7AC111298A7AC70D3304242E442320F',
TYPE xucode VALUE '7D806C248F03813D',
TYPE xucode VALUE '35C7AB28316EA22F',
TYPE xucode VALUE '5A5F45726821A147',
TYPE hash160x VALUE '57CF364A7D83FA563025C7BCFFFB3B579DFB23F3',
TYPE hash160x VALUE '38AE55102813F3BBBC3B3BCA09285ED5A9E0423F',
TYPE xucode VALUE '5FA752863FB70BA9',
TYPE xucode VALUE '61D26428640DBAB5',
TYPE xucode VALUE 'DCA44BB71C073A05',
TYPE xucode VALUE '08FA7683A46D9AA9',
TYPE hash160x VALUE '905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45',
*  SAP*
TYPE xucode VALUE 'C75E6D9600AB5710',
TYPE xucode VALUE 'D0BFF4276DA1E208',
TYPE xucode VALUE 'A83ECB9EC4D34C08',
TYPE xucode VALUE '95984B6A25BA20E9',
TYPE hash160x VALUE '8948310AF768FA9061598E8F68FD144CE65B7480',
TYPE xucode VALUE '7671D2F2729F27F0',
TYPE xucode VALUE '942B9DC0F2394D85',
TYPE xucode VALUE '7C6433CE69099272',
TYPE xucode VALUE '940BAB0E12A36DC2',
TYPE hash160x VALUE 'C9AA19DA354DC8397D7AC8EA8B4C04DF49CB58FF',
TYPE xucode VALUE '05CB79BE189802A0',
TYPE xucode VALUE 'B7E2F82C0A3E54C4',
TYPE xucode VALUE '4DD4438D3C19138C',
TYPE xucode VALUE 'D527A90BC0CAF484',
TYPE hash160x VALUE 'A6BF38EE57F90B78C8D88A5212BBF1BA9A966ABB'

Note. There are 5 hashes for every account: one for every hashing algorithm used in SAP (A, B, D, E, F). Some accounts (CPIC, EARLYWATCH) each have two password hashes for the F algorithm: for passwords in upper and lower case.
Now we can remember that there was no information on the transport management system user TMSADM in previous versions of the RSUSR003 report. As we can see, there's no such account in the analysis results output.

Apparently, the report has recently been revised and new versions contain information on default passwords and TMSADM password. It has been revised... And a new unknown password has appeared. Checking. Let's see the very beginning of the source code: it usually has information on updates and amendments that were made.

The very last update of the source code is related to adding user checks. For more information let's see the note (issued in a month following the code changing, on April 27, 2011).

Everything is confirmed. In early 2011, SAP developers made changes to the report RSUSR003, added checks for the user TMSADM providing two possible passwords: PASSWORD and $1Pawd2&.

Conclusions we can draw: 
  1. While carrying out the SAP systems security audit, the existence of another default password for TMSADM should be taken into account. Make sure that the used password differs from the two default passwords. (Password $1Pawd2& was discovered in 2 of our test benches, so it can be easily found in your system.)
  2. Specialists responsible for the security of their own SAP systems should implement note 1552894 to make sure default passwords for the system users were changed, including the one for the user TMSADM.


  1. This comment has been removed by a blog administrator.

  2. SAP Security training is available in three dissimilar etiquette of tactics. Many individuals often select the training where they are being trained in the standard classrooms. Besides this kind, there are learners who believes internet or Online training of SAP Security readily overthrows the class-room one with regard to effectiveness. Though this difference of opinion about the categorisation is extremely comprehensible. And there's a small fraction of people that acquire
    sap security online training

    through complete reliance over diverse study resources, like outlines, notes, tapes etc. There are commendably high amount of tutorials and demonstrators available too within the net, as well as on various media libraries.

    The way as the outcome of the SAP Security instruction is considered, you shall be convincingly assured of its extraordinarily high advantageous nature and values. There isn't any second opinion the training could give a considerably welcomed boost to your professional livelihood. There is likely to be whole lot of IT jobs attainable for you 'at your toes'.

  3. SAP security online training Protection is just a word you notice related to computers daily.
    Since many businesses are preserving sensitive enterprise information in data bases,
    someone needs to secure this information and oversee those who have use of it.


  4. SAP security online training Protection is just a word you notice related to computers daily.
    Since many businesses are preserving sensitive enterprise information in data bases,
    someone needs to secure this information and oversee those who have use of it.
    SAP is multinational software development company, and business consulting firm situated in Germany.

    sap security online training