Second critical category. Default passwords for access to the application
For the two previous weeks we’ve been discussing the top-9 critical areas and the 33 steps to be taken for security assessment. Ultimately, we’ve covered patch management flaws - the first critical category in our list. As you should have probably guessed, today it’s time we take a closer look at the next item from our list of critical issues - default passwords.
It is a wide reaching vulnerability with multiple attack vectors. As it requires little skill, default passwords vulnerability exploitation is now among the most frequently used ways of getting access to company’s data. Once installed, SAP system has several standard clients: 000, 001, 066. They all have high privileges set by default (usually, they have the SAP_ALL profile). When it comes to creating new clients, SAP system automatically generates default usernames and passwords.
In the version 6.10 of SAP Web Application Server, the so-called Master Passwords  were first put into practice.
Users should be particularly careful, as the fact is, vendor's default accounts and their passwords are well known. Have a look at the following table; we’ve gathered default passwords here for you:
|SAP*||06071992, PASS||001, 066, Custom|
|DDIC||19920706||000, 001, Custom|
(Read more: Can your SMART TV get hacked?)
Some additional SAP components also have their unique default passwords. For example, old versions of such services as SAP SDM and SAP ITS have their own pre-installed default passwords.
After you have finished checking whether there are default passwords, you should check user passwords for simple dictionary passwords. We suggest that you use efficient password bruteforcing utilities, in particular, such utilities, as John The Ripper would fit you great. Alternatively you can use ERPScan Security Monitoring Suite.
Besides, default passwords should be checked in all associated systems. Don’t forget to check your network equipment, operating systems and DBMS that store SAP system data. Oracle DBMS, for instance, contains a lot of default passwords, including those specific for SAP systems.
[EASAI-NA-03] Default password check for a SAP user
The SAP* users are created in all clients immediately after installation. Those are dialog users who work via SAP GUI (user type = dialog). They perform all administrative tasks (and usually have the SAP_ALL profile). In case any SAP* user has been removed, after the system was rebooted one can login using standard PASS password and get all the corresponding SAP_ALL privileges.
Default passwords of SAP* users are well-known (see the table above). With these passwords, an adversary may enter the system using SAP_ALL profile and, consequently, get an unlimited access to any business data stored in the system.
- First, give superuser rights to a SAP* user in all clients (do not remove it!). To do that, using SU01 transaction, select the SAP* user. After that, click on the Lock/Unlock icon(Ctrl+F5);
- Set login/no_automatic_user_sapstar to 1 (RZ10 and RZ11 transactions). Note that in 3.1G and lower versions, the login/noautomatic_user_sap* parameter is used;
- Change the SAP* default password (using SU01 transaction);
- Make sure that now the user belongs to the SUPER group in all clients. Go to SU01 transaction, select the SAP* user, click on the Change icon (Shift+F6), then on the Logon Data tab.
EASAI-NA-04 Default password check for the DDIC user
The DDIC user is created in the clients 000 and 001 upon their installation (and copying). This default system user’s purpose is to perform system installation, renewal, configuration and operation. Its purpose can also be implementation of support packages, upgrade and background job runtime of Transport Tool background jobs triggered by the tool.
In case the client is 000, this user belongs to a dialog type, it has the right to enter the system via SAP GUI and perform any actions.
In all the other clients it is a system type user, it may perform background processing and it can interact with the system. SAP_ALL and SAP_NEW profiles that grant access to all the functions of the SAP are defined for this user.
The DDIC user default password is well-known (see the table above). With these passwords, an adversary can enter the system using SAP_ALL profile and, consequently, get an unlimited access to any business data stored in the system.
WARNING! Do not remove the DDIC user or its profile! The DDIC user is necessary for performing certain tasks, such as installation or updating. It can also interact with ABAP dictionary. The DDIC user removal results in a loss of functionality in these areas. But it is acceptable (and highly recommended by some resources) to remove it in all clients except 000.
- In 000 client change the user type to SYSTEM;
- Remove SAP_ALL profile;
- Lock out the DDIC user. Unlock it if needed only. Notice that transport system executes certain programs on behalf of the DDIC user;
- Change the default password for the DDIC user;
- Make sure that the DDIC user belongs to the SUPER group in all clients. Only authorized administrators have the right to modify this account.
- Regularly perform checks of system clients to those illicit ones.
[EASAI-NA-05] Default password check for the SAP user
The SAPCIPIC user is used in transportation system of SAP solutions (in 4.5A and lower versions). It is a communication type user. It is mostly used for EDI (Electronic Data Interchange). It may also transport RFC calls without dialog boxes.
So, this user does not have dialog type user privileges, though it has the S_A.CPIC profile. As a result, critical are the following authorization objects:
- the S_CPIC (to call for CPIC functions from ABAP/4 programs),
- S_DATASET (with privileges to access files from ABAP/4 programs), and
- S_RFC (authorization check for RFC access to program modules, for example, to a functional group).
(Read more: How to choose your Security / Penetration Testing Vendor?)
Default passwords of SAPCPIC user is well-known (see the table above). With these passwords, an adversary can remotely execute RFC requests (e.g. start some OS programs); execute arbitrary OS commands through RFC vulnerabilities (e.g. TH_GREP); create dialog users with any privileges to enter the system and get an unlimited access to the data.
Remove SAPCPIC user if you do not need it. If the user is still necessary:
- Change the default password for SAPCPIC user;
- Lock out SAPCPIC user. Unlock if necessary only;
- If this user is required for EDI purposes (e.g. by contractor), never transmit this password via a remote session. It is also preferable to use separate communication channel, e.g. e-mail. Change the password immediately after the remote session is over;
- Make sure that this user belongs to SUPER group in all clients, so as to be certain that only authorized administrators have the right to change this user’s account;
- Determine a special user for remote access. Do not use any default users;
- Perform regular checks of your clients to eliminate the risk of illicit access.
[EASAI-NA-06] Default password check for TMSADM user
The TMSADM user is used for transfers through the transport system. It is created automatically upon configuration and changes of Transport Management System (TMS) via the 000 client.
It is a communication user, in other words, it is often used falsely to transport external RFC calls without dialog boxes. It has the assigned S_A.TMSADM authorization profile enabled to utilize RFC-functions with GUI and to write to a file system. SAP_ALL profile is also often assigned to this user.
The default password of TMSADM user is well-known. An adversary may remotely start RFC requests to perform critical actions such as deletion and reading files (EPS_DELETE_FILE, EPS_OPEN_FILE2); arbitrary ABAP code execution (through the RFC_ABAP_INSTALL_AND_RUNor TTMS_CI_START_SERVICE function vulnerabilities), and, using BAPI_USER_CREATE1 andSUSR_RFC_USER_INTERFACE requests, to create a dialog user and, consequently, to enter the system and get an unlimited access to business data.
- Change the default password of TMSADM user; to change this password you should:
- Enter the 000 client under any user with administrative rights.
- Start the TMS_UPDATE_PWD_OF_TMSADM program with the ABAP editor (the SE38transaction). There are three ways to change the TMSADM password:
- to enter your own password
- to set a new standard password (Note 761637, $1Pawd2&), or
- to set an old standard password (PASSWORD);
- Select the option "To enter your own password” in the dialog box and enter the new password;
- Start the program
- Make sure that this user belongs to the SUPER group in all clients. This way you will be certain that only authorized administrators have the right to change this user’s account;
- Determine a special user for the remote access. Do not use any of default users;
- Perform regular checks for your clients to eliminate the risk of illicit access.
Additionally, it is better to apply security notes related to vulnerabilities in the programs which TMSADM user can execute, such as:
- SAP Note 1298160 for vulnerabilities in TTMS_CI_START_SERVICE;
- SAP Note 1330776 for vulnerabilities in EPS_DELETE_FILE and EPS_OPEN_FILE2.
[EASAI-NA-07] Default password check for the EARLYWATCH user
The EarlyWatch user is created in the 066 client upon SAP installation and is related to a dialog type. It can enter via SAP GUI and perform any actions to the system. One can use it for SAP distance remote management and to get access to monitoring data. As a rule, it is used by SAP AG customer support to enter customer's systems. Change the default password forEarlyWatch user, but never delete the user.
EarlyWatch user’s default password is well-known (see the table above). With this password, an adversary can enter the system using the S_TOOLS_EX_A profile and, consequently, perform various critical actions (for example, access any files, view sensitive tables or display external statistics records via the control tools). In old versions - 6.4 and lower, users could execute critical transactions such as SE37 (function modules execution) and SE38 (running reports). In the new versions, it has fewer privileges, but it can exploit some vulnerabilities, such as theTH_GREP call with the SM51 transaction and, consequently, execute arbitrary OS commands.
Warning!Do not remove Earlywatch user or its profile!
- Lock out EARLYWATCH user. Unlock if necessary only;
- Change the default password for the EARLYWATCH user;
- Ensure that this user belongs to the SUPER group in all clients so that to be certain that only authorized administrators have the right to change this user’s account;
- Perform regular checks of your clients to eliminate the risk of illicit clients’ access to the system.
By now you should have noticed the ease and clarity with which we tried explain to you some technical subjects. You should also have noticed and wondered how we managed to make the list of critical issues that brief. You may even have marveled at how sometimes we point out what it all means, what it’s good for, and why should you care. It’s completely up to you, but if you like our articles we strongly recommend that you stay with us as in two weaks well come back with the descriprion of the next critical issue.
(Read more: Shellshock Bug: A Quick Primer)