Social Network For Security Executives: Network, Learn & Collaborate
Second critical category. Default passwords for access to the application
For the two previous weeks we’ve been discussing the top-9 critical areas and the 33 steps to be taken for security assessment. Ultimately, we’ve covered patch management flaws - the first critical category in our list. As you should have probably guessed, today it’s time we take a closer look at the next item from our list of critical issues - default passwords.
It is a wide reaching vulnerability with multiple attack vectors. As it requires little skill, default passwords vulnerability exploitation is now among the most frequently used ways of getting access to company’s data. Once installed, SAP system has several standard clients: 000, 001, 066. They all have high privileges set by default (usually, they have the SAP_ALL profile). When it comes to creating new clients, SAP system automatically generates default usernames and passwords.
In the version 6.10 of SAP Web Application Server, the so-called Master Passwords  were first put into practice.
Users should be particularly careful, as the fact is, vendor's default accounts and their passwords are well known. Have a look at the following table; we’ve gathered default passwords here for you:
|SAP*||06071992, PASS||001, 066, Custom|
|DDIC||19920706||000, 001, Custom|
(Read more: Can your SMART TV get hacked?)
Some additional SAP components also have their unique default passwords. For example, old versions of such services as SAP SDM and SAP ITS have their own pre-installed default passwords.
After you have finished checking whether there are default passwords, you should check user passwords for simple dictionary passwords. We suggest that you use efficient password bruteforcing utilities, in particular, such utilities, as John The Ripper would fit you great. Alternatively you can use ERPScan Security Monitoring Suite.
Besides, default passwords should be checked in all associated systems. Don’t forget to check your network equipment, operating systems and DBMS that store SAP system data. Oracle DBMS, for instance, contains a lot of default passwords, including those specific for SAP systems.
[EASAI-NA-03] Default password check for a SAP user
The SAP* users are created in all clients immediately after installation. Those are dialog users who work via SAP GUI (user type = dialog). They perform all administrative tasks (and usually have the SAP_ALL profile). In case any SAP* user has been removed, after the system was rebooted one can login using standard PASS password and get all the corresponding SAP_ALL privileges.
Default passwords of SAP* users are well-known (see the table above). With these passwords, an adversary may enter the system using SAP_ALL profile and, consequently, get an unlimited access to any business data stored in the system.
EASAI-NA-04 Default password check for the DDIC user
The DDIC user is created in the clients 000 and 001 upon their installation (and copying). This default system user’s purpose is to perform system installation, renewal, configuration and operation. Its purpose can also be implementation of support packages, upgrade and background job runtime of Transport Tool background jobs triggered by the tool.
In case the client is 000, this user belongs to a dialog type, it has the right to enter the system via SAP GUI and perform any actions.
In all the other clients it is a system type user, it may perform background processing and it can interact with the system. SAP_ALL and SAP_NEW profiles that grant access to all the functions of the SAP are defined for this user.
The DDIC user default password is well-known (see the table above). With these passwords, an adversary can enter the system using SAP_ALL profile and, consequently, get an unlimited access to any business data stored in the system.
WARNING! Do not remove the DDIC user or its profile! The DDIC user is necessary for performing certain tasks, such as installation or updating. It can also interact with ABAP dictionary. The DDIC user removal results in a loss of functionality in these areas. But it is acceptable (and highly recommended by some resources) to remove it in all clients except 000.
[EASAI-NA-05] Default password check for the SAP user
The SAPCIPIC user is used in transportation system of SAP solutions (in 4.5A and lower versions). It is a communication type user. It is mostly used for EDI (Electronic Data Interchange). It may also transport RFC calls without dialog boxes.
So, this user does not have dialog type user privileges, though it has the S_A.CPIC profile. As a result, critical are the following authorization objects:
Default passwords of SAPCPIC user is well-known (see the table above). With these passwords, an adversary can remotely execute RFC requests (e.g. start some OS programs); execute arbitrary OS commands through RFC vulnerabilities (e.g. TH_GREP); create dialog users with any privileges to enter the system and get an unlimited access to the data.
Remove SAPCPIC user if you do not need it. If the user is still necessary:
[EASAI-NA-06] Default password check for TMSADM user
The TMSADM user is used for transfers through the transport system. It is created automatically upon configuration and changes of Transport Management System (TMS) via the 000 client.
It is a communication user, in other words, it is often used falsely to transport external RFC calls without dialog boxes. It has the assigned S_A.TMSADM authorization profile enabled to utilize RFC-functions with GUI and to write to a file system. SAP_ALL profile is also often assigned to this user.
The default password of TMSADM user is well-known. An adversary may remotely start RFC requests to perform critical actions such as deletion and reading files (EPS_DELETE_FILE, EPS_OPEN_FILE2); arbitrary ABAP code execution (through the RFC_ABAP_INSTALL_AND_RUNor TTMS_CI_START_SERVICE function vulnerabilities), and, using BAPI_USER_CREATE1 andSUSR_RFC_USER_INTERFACE requests, to create a dialog user and, consequently, to enter the system and get an unlimited access to business data.
Additionally, it is better to apply security notes related to vulnerabilities in the programs which TMSADM user can execute, such as:
[EASAI-NA-07] Default password check for the EARLYWATCH user
The EarlyWatch user is created in the 066 client upon SAP installation and is related to a dialog type. It can enter via SAP GUI and perform any actions to the system. One can use it for SAP distance remote management and to get access to monitoring data. As a rule, it is used by SAP AG customer support to enter customer's systems. Change the default password forEarlyWatch user, but never delete the user.
EarlyWatch user’s default password is well-known (see the table above). With this password, an adversary can enter the system using the S_TOOLS_EX_A profile and, consequently, perform various critical actions (for example, access any files, view sensitive tables or display external statistics records via the control tools). In old versions - 6.4 and lower, users could execute critical transactions such as SE37 (function modules execution) and SE38 (running reports). In the new versions, it has fewer privileges, but it can exploit some vulnerabilities, such as theTH_GREP call with the SM51 transaction and, consequently, execute arbitrary OS commands.
Warning!Do not remove Earlywatch user or its profile!
By now you should have noticed the ease and clarity with which we tried explain to you some technical subjects. You should also have noticed and wondered how we managed to make the list of critical issues that brief. You may even have marveled at how sometimes we point out what it all means, what it’s good for, and why should you care. It’s completely up to you, but if you like our articles we strongly recommend that you stay with us as in two weaks well come back with the descriprion of the next critical issue.
(Read more: Shellshock Bug: A Quick Primer)