has - All Articles - CISO Platform2024-03-28T13:00:11Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/hasSAP NetWeaver ABAP security configuration part 2: Default passwords for access to the applicationhttps://www.cisoplatform.com/profiles/blogs/sap-netweaver-abap-security-configuration-part-2-default2015-02-02T16:00:00.000Z2015-02-02T16:00:00.000ZAlexander Polyakovhttps://www.cisoplatform.com/members/AlexanderPolyakov743<div><p><b>Second critical category. Default passwords for access to the application<br /> <br /></b> For the two previous weeks we’ve been discussing the top-9 critical areas and the 33 steps to be taken for security assessment. Ultimately, we’ve covered patch management flaws - the first critical category in our list. As you should have probably guessed, today it’s time we take a closer look at the next item from our list of critical issues - default passwords.</p><p>It is a wide reaching vulnerability with multiple attack vectors. As it requires little skill, default passwords vulnerability exploitation is now among the most frequently used ways of getting access to company’s data. Once installed, SAP system has several standard clients: 000, 001, 066. They all have high privileges set by default (usually, they have the SAP_ALL profile). When it comes to creating new clients, SAP system automatically generates default usernames and passwords.<br /> In the version 6.10 of SAP Web Application Server, the so-called <i>Master Passwords</i> <a href="http://www.sapsecurityonline.com/password_sap.htm">[1]</a> were first put into practice. <br /> Users should be particularly careful, as the fact is, vendor's default accounts and their passwords are well known. Have a look at the following table; we’ve gathered default passwords here for you:</p><p></p><table><tbody><tr><td>USER</td><td>PASSWORD</td><td>CLIENT</td></tr><tr><td>SAP*</td><td>06071992, PASS</td><td>001, 066, Custom</td></tr><tr><td>DDIC</td><td>19920706</td><td>000, 001, Custom</td></tr><tr><td>TMSADM</td><td>PASSWORD, $1Pawd2& </td><td>000</td></tr><tr><td>SAPCPIC</td><td>ADMIN</td><td>000,001</td></tr><tr><td>EARLYWATCH </td><td>SUPPORT</td><td>066</td></tr></tbody></table><p></p><p><span>(Read more: </span><b><a href="http://www.cisoplatform.com/profiles/blogs/captivating-new-insights-into-hbb-tvs">Can your SMART TV get hacked?</a>)</b></p><p></p><p><u><i>Further steps</i></u></p><p><i>Some additional SAP components also have their unique default passwords. For example, old versions of such services as SAP SDM and SAP ITS have their own pre-installed default passwords. <br /> After you have finished checking whether there are default passwords, you should check user passwords for simple dictionary passwords. We suggest that you use efficient password bruteforcing utilities, in particular, such utilities, as John The Ripper would fit you great. Alternatively you can use ERPScan Security Monitoring Suite. <br /> Besides, default passwords should be checked in all associated systems. Don’t forget to check your network equipment, operating systems and DBMS that store SAP system data. Oracle DBMS, for instance, contains a lot of default passwords, including those specific for SAP systems.</i></p><p><b><i>[EASAI-NA-03] Default password check for a SAP user</i></b></p><p><b><i>Description</i></b></p><p>The SAP* users are created in all clients immediately after installation. Those are dialog users who work via SAP GUI (<b>user type = dialog</b>). They perform all administrative tasks (and usually have <b>the SAP_ALL </b>profile). In case any SAP* user has been removed, after the system was rebooted one can login using standard <b>PASS</b> password and get all the corresponding SAP_ALL privileges.</p><p><b><i>Threat</i></b></p><p>Default passwords of <b>SAP*</b> users are well-known (see the table above). With these passwords, an adversary may enter the system using <b>SAP_ALL</b> profile and, consequently, get an unlimited access to any business data stored in the system.</p><p><b><i>Solution</i></b></p><ul><li>First, give superuser rights to a SAP* user in all clients (do not remove it!). To do that, using SU01 transaction, select the SAP* user. After that, click on the <i>Lock/Unlock icon</i>(Ctrl+F5);</li><li>Set <b>login/no_automatic_user_sapstar</b> to <b>1</b> (<b>RZ10</b> and <b>RZ11</b> transactions). Note that <i>in 3.1G and lower versions</i>, the <b>login/noautomatic_user_sap*</b> parameter is used;</li><li>Change the SAP* default password (using <b>SU01</b> transaction);</li><li>Make sure that now the user belongs to the <b>SUPER</b> group in all clients. Go to <b>SU01 transaction</b>, select the <b>SAP*</b> user, click on the <i>Change</i> icon (Shift+F6), then on the <i>Logon Data</i> tab.</li></ul><p><b><i>EASAI-NA-04 Default password check for the DDIC user</i></b></p><p><b><i>Description</i></b></p><p>The <b>DDIC</b> user is created in the clients 000 and 001 upon their installation (and copying). This default system user’s purpose is to perform system installation, renewal, configuration and operation. Its purpose can also be implementation of support packages, upgrade and background job runtime of Transport Tool background jobs triggered by the tool. <br /> In case the client is 000, this user belongs to a dialog type, it has the right to enter the system via SAP GUI and perform any actions.<br /> In all the other clients it is a <i>system</i> type user, it may perform background processing and it can interact with the system. <b>SAP_ALL</b> and <b>SAP_NEW</b> profiles that grant access to all the functions of the SAP are defined for this user.</p><p><b><i>Threat</i></b></p><p>The <b>DDIC</b> user default password is well-known (see the table above). With these passwords, an adversary can enter the system using SAP_ALL profile and, consequently, get an unlimited access to any business data stored in the system.</p><p><b><i>Solution</i></b></p><p><i><b>WARNING!</b> Do not remove the DDIC user or its profile! The DDIC user is necessary for performing certain tasks, such as installation or updating. It can also interact with ABAP dictionary. The DDIC user removal results in a loss of functionality in these areas. But it is acceptable (and highly recommended by some resources) to remove it in all clients except 000.</i></p><ul><li>In 000 client change the user type to <b>SYSTEM</b>;</li><li>Remove SAP_ALL profile;</li><li>Lock out the DDIC user. Unlock it if needed only. Notice that transport system executes certain programs on behalf of the DDIC user;</li><li>Change the default password for the DDIC user;</li><li>Make sure that the DDIC user belongs to the <i>SUPER</i> group in all clients. Only authorized administrators have the right to modify this account.</li><li>Regularly perform checks of system clients to those illicit ones.</li></ul><p><b><i>[EASAI-NA-05] Default password check for the SAP user</i></b></p><p><b><i>Description</i></b></p><p>The <b>SAPCIPIC</b> user is used in transportation system of SAP solutions (in 4.5A and lower versions). It is a communication type user. It is mostly used for EDI (Electronic Data Interchange). It may also transport RFC calls without dialog boxes. <br /> So, this user does not have dialog type user privileges, though it has the <b>S_A.CPIC</b> profile. As a result, critical are the following authorization objects:</p><ul><li>the <b>S_CPIC</b> (to call for CPIC functions from ABAP/4 programs),</li><li><b>S_DATASET</b> (with privileges to access files from ABAP/4 programs), and</li><li><b>S_RFC</b> (authorization check for RFC access to program modules, for example, to a functional group).</li></ul><p></p><p><b>(Read more: </b><a href="http://www.cisoplatform.com/profiles/blogs/how-to-choose-your-security-penetration-testing-vendor">How to choose your Security / Penetration Testing Vendor?</a>)</p><p></p><p><b><i>Threat</i></b></p><p>Default passwords of <b>SAPCPIC</b> user is well-known (see the table above). With these passwords, an adversary can remotely execute RFC requests (e.g. start some OS programs); execute arbitrary OS commands through RFC vulnerabilities (e.g. <b>TH_GREP</b>); create dialog users with any privileges to enter the system and get an unlimited access to the data.</p><p><b><i>Solution</i></b></p><p>Remove <b>SAPCPIC</b> user if you do not need it. If the user is still necessary:</p><ul><li>Change the default password for SAPCPIC user;</li><li>Lock out SAPCPIC user. Unlock if necessary only;</li><li>If this user is required for EDI purposes (e.g. by contractor), never transmit this password via a remote session. It is also preferable to use separate communication channel, e.g. e-mail. Change the password immediately after the remote session is over;</li><li>Make sure that this user belongs to SUPER group in all clients, so as to be certain that only authorized administrators have the right to change this user’s account;</li><li>Determine a special user for remote access. Do not use any default users;</li><li>Perform regular checks of your clients to eliminate the risk of illicit access.</li></ul><p><b><i>[EASAI-NA-06] Default password check for TMSADM user</i></b></p><p><b><i>Description</i></b></p><p>The <b>TMSADM</b> user is used for transfers through the transport system. It is created automatically upon configuration and changes of <b>Transport Management System (TMS)</b> via the 000 client. <br /> It is a communication user, in other words, it is often used falsely to transport external RFC calls without dialog boxes. It has the assigned <b>S_A.TMSADM</b> authorization profile enabled to utilize RFC-functions with GUI and to write to a file system. <b>SAP_ALL</b> profile is also often assigned to this user.</p><p><b><i>Threat</i></b></p><p>The default password of <b>TMSADM</b> user is well-known. An adversary may remotely start RFC requests to perform critical actions such as deletion and reading files (<b>EPS_DELETE_FILE, EPS_OPEN_FILE2</b>); arbitrary ABAP code execution (through the <b>RFC_ABAP_INSTALL_AND_RUN</b>or <b>TTMS_CI_START_SERVICE</b> function vulnerabilities), and, using <b>BAPI_USER_CREATE1</b> and<b>SUSR_RFC_USER_INTERFACE</b> requests, to create a dialog user and, consequently, to enter the system and get an unlimited access to business data.</p><p><b><i>Solution</i></b></p><ul><li>Change the default password of <b>TMSADM</b> user; to change this password you should:<ul><li>Enter the 000 client under any user with administrative rights.</li><li>Start the <b>TMS_UPDATE_PWD_OF_TMSADM</b> program with the ABAP editor (the <b>SE38</b>transaction). There are three ways to change the TMSADM password:<ul><li>to enter your own password</li><li>to set a new standard password (Note 761637, <i>$1Pawd2&</i>), or</li><li>to set an old standard password (PASSWORD);</li></ul></li><li>Select the option <i>"To enter your own password”</i> in the dialog box and enter the new password;</li><li>Start the program</li></ul></li><li>Make sure that this user belongs to the <b>SUPER</b> group in all clients. This way you will be certain that only authorized administrators have the right to change this user’s account;</li><li>Determine a special user for the remote access. Do not use any of default users;</li><li>Perform regular checks for your clients to eliminate the risk of illicit access.</li></ul><p>Additionally, it is better to apply security notes related to vulnerabilities in the programs which TMSADM user can execute, such as:</p><ul><li>SAP Note 1298160 for vulnerabilities in TTMS_CI_START_SERVICE;</li><li>SAP Note 1330776 for vulnerabilities in EPS_DELETE_FILE and EPS_OPEN_FILE2.</li></ul><p><b><i>[EASAI-NA-07] Default password check for the EARLYWATCH user</i></b></p><p><b><i>Description</i></b></p><p>The EarlyWatch user is created in the <b>066</b> client upon SAP installation and is related to a dialog type. It can enter via SAP GUI and perform any actions to the system. One can use it for SAP distance remote management and to get access to monitoring data. As a rule, it is used by SAP AG customer support to enter customer's systems. Change the default password for<b>EarlyWatch</b> user, but <b>never delete the user</b>.</p><p><b><i>Threats</i></b></p><p><b>EarlyWatch</b> user’s default password is well-known (see the table above). With this password, an adversary can enter the system using the <b>S_TOOLS_EX_A</b> profile and, consequently, perform various critical actions (for example, access any files, view sensitive tables or display external statistics records via the control tools). In old versions - 6.4 and lower, users could execute critical transactions such as <b>SE37</b> (function modules execution) and <b>SE38</b> (running reports). In the new versions, it has fewer privileges, but it can exploit some vulnerabilities, such as the<b>TH_GREP</b> call with the <b>SM51</b> transaction and, consequently, execute arbitrary OS commands.</p><p><b><i>Solution</i></b></p><p><b>Warning!</b>Do not remove Earlywatch user or its profile!</p><ul><li>Lock out <b>EARLYWATCH</b> user. Unlock if necessary only;</li><li>Change the default password for the <b>EARLYWATCH</b> user;</li><li>Ensure that this user belongs to the <b>SUPER</b> group in all clients so that to be certain that only authorized administrators have the right to change this user’s account;</li><li>Perform regular checks of your clients to eliminate the risk of illicit clients’ access to the system.</li></ul><p></p><p>By now you should have noticed the ease and clarity with which we tried explain to you some technical subjects. You should also have noticed and wondered how we managed to make the list of critical issues that brief. You may even have marveled at how sometimes we point out what it all means, what it’s good for, and why should you care. It’s completely up to you, but if you like our articles we strongly recommend that you stay with us as in two weaks well come back with the descriprion of the next critical issue.</p><p></p><p><span>(Read more: </span><b><a href="http://www.cisoplatform.com/profiles/blogs/shellshock-bug-a-quick-primer">Shellshock Bug: A Quick Primer</a>)</b></p></div>