SAP R/3 default password vulnerability

[Stefan Hoelzner <shoelzner () cityweb de>]

SAP R/3 default password vulnerability

Summary
=======
SAP R/3 ships with four default user accounts that are protected with commonly known passwords. These user accounts are 
equipped with super- or power user access rights. 

As many ERP software packages SAP R/3 is capable of installing different "clients" in order to separate data. Each 
client has its own user account management, therefore the logon information consists of three different components: 
username, password and client-number. The default user accounts are installed in _every_ client.

Whereas the default passwords are normally changed in production clients, they are often left unchanged in the 
non-production (system-) clients that are available in each default installation.

Although SAP AG recommends changing the default passwords (see [1]), we have found many installations - even on the 
Internet - that are still vulnerable to this attack.


Affected versions
=================
All SAP R/3 releases since 2.0B(?) up to 4.6D with unchanged default passwords


Detailed analysis
=================
A typical SAP R/3 installation consists of at least 4 clients. Three of them are base SAP R/3 clients that should be in 
every SAP instance. These are SAP R/3 pre-delivered clients that can/should never be modified under any circumstances:

000 SAP R/3 (base image, used for release changes, updates and special customizing tasks)
001 Auslieferungmandant R11 (a copy of client 000)
066 EarlyWatch (used for technical monitoring by SAP AG)

At least one additional client has to be available to act as the production client. Additional production and/or 
testing and development clients may be available. The client-ID has to be chosen between 002 and 999 (omitting 066).

Each client has its own user account management, therefore the logon information consists of three different 
components: username, password and client-number. The following default users are implemented into every client (000, 
001, 066 and all other clients - default passwords in brackets):

SAP* (06071992)
SAPCPIC (ADMIN)
DDIC (19920706)

In client 066 (sometimes, but not always, also existing in the other clients) there is the additional default user 
EARLYWATCH (password SUPPORT). 

Also note that once you delete SAP* the user is automatically "reborn" with the password PASS unless the system in 
explicitly configured not to do so.

Depending on your installation also the user TMSADM (used in the Transport Management System) may be present.

The users SAP* and DDIC are online users provided with super user access rights; they can read and modify all data in 
the given client. Furthermore, they are also able to access and modify certain data in the other clients, especially 
data in production clients. By using cross-client table modifications they may be used to alter data structures 
resulting in a system inconsistency (call it a "denial of service"-condition). A very worthwhile target are SAP* and 
DDIC in client 000. 

EARLYWATCH is also an online user, but with restricted system access rights.

The user SAPCPIC is not an online user, so it cannot be used to log onto the system in online mode. Nevertheless, it is 
also critical as it may be used to execute RFC commands originating from other R/3-systems (Remote Function Calls - it 
is beyond the scope of this document to describe the usage and the dangers resulting from RFC).

A special graphical user interface (SAP-GUI) is needed to connect to SAP R/3 systems. A Linux version is freely 
available (see [2] for instructions on how to install SAP-GUI for SuSE Linux). The logon screen can be invoked by using 
the command

guistart /H/<IP>/S/<port>

where <IP> = SAP R/3 application server and <port> = port number SAP is listening at.

SAP R/3 application servers and thus SAP R/3 systems can be identified by port scanning for port 3200. Although the 
system can be configured to listen to an arbitrary port this is not seen very often in the wild, so 3200 is a very good 
try indeed. 

Other vulnerabilities are present for SAP database servers (see [3] - German only), but they are not affected by this 
vulnerability.


Workaround / Solution
=====================
The protection of special users is described in detail at [4].


References
==========
[1] https://www.sap-ag.de/securityguide (access restrictions of SAG AG apply)
[2] http://sdb.suse.de/en/sdb/html/sapgui.html 
[3] http://www.lan-ks.de/~jochen/sap-r3/ora-hack.html
[4] http://help.sap.com/saphelp_45b/helpdata/en/52/671785439b11d1896f0000e8322d00/content.htm
[5] http://www.hoelzner.de/security/sap_default_passwords.php (a copy of this posting, but hopefully maintained with 
additional and revised information in the future...)


Addendum
========
You may say that exploiting default passwords is 14m3. Well, it is, indeed. But having analysed the security of SAP 
systems for quite some years now I always thought how appalling it is that so many companies are exposing their 
internal R/3's to unauthorized access through their own employees by leaving all that default accounts untouched. Then 
we asked ourselves "How many R/3 systems may be out there on the Internet that are vulnerable to that same 'exploit'?" 
So we started a small, non-representative scan and it was really alarming, frightening, horrific how many systems a 
malicious hacker could have compromised. So, anyone of you who operates R/3, you have been warned...