A standard way to find out the password of PI* service users. Is it a serious security bug?
From my point of view the answer is: “yes, of course”.
What would you think if I told you that just with running a function module by means of transaction SE37 you could get the password of PIISUSER in clear text?
When I found out this the first time, several questions crossed into my mind unavoidably:
- Will be this password the same as PIAPPLUSER or even as PISUPER?
- And also, why not? The same as J2EE_ADMIN user or SAP* user, SIDADM…
- Could I simulate an external Third System and send and process messages into PI by logging with any of these users?
Surely you are thinking that all these questions could be related with or intended to making “malicious” or “fraudulent” actions. This has been the main reason that made me think about writing this blog.
I mean, this blog is not intended for showing ways of hacking PI systems but showing and describing the possible consequences if these credentials could reach inappropriate hands or people with deep knowledge in PI, in order to set some recommendations and strong security policies directed to PI systems administrators so that they can prevent this kind of actions.
Let’s get to the point.
Working with a PI issue I run into the function module SAI_AE_DETAILS_GET (what this function does or what this function is used for is not within the scope of this blog).
When I googled it, I found many entries talking about this function but no one talking about that this function returns the password of PIISUSER in clear text.
Anyway, the point t is that if you run this function module in SE37 and enter AE name (af.<SID_SYSTEM>.<host_system_name>) as parameter, the function returns the URL of the adapter engine where the messages must be directed to and the credentials needed to log on into this URL (PIISUSER and password in clear text).
So, first of all: is it usual that a function module returns a password in clear text?
Secondly, what could mean the fact of knowing the password of PIISUSER?
Nowadays, in current releases of SAP Netweaver PI (excluding AEX 7.3x with which does not apply this issue) after installing the system you must run a initial configuration wizard where PI* service users are created. In the initial step of this wizard you are prompted to type a masterpass for all these service users. This password can be or not the same one as the installation masterpass of the main administrator users (J2EE_ADMIN, SIDADM, DDIC, etc). The user who runs the wizard (usually, the same user who installed the system) can decide to use the same masterpass or not. Who can know?
Note: I can`t remember if XI*/PI* service users were created during the installation of XI/PI system in releases XI 3.0 and PI 7.0 or they were created during the execution of the initial configuration wizard as happens with current releases. For more information about PI* service users refer to following link:
What is very likely and is not taken into account as it should be is that this wizard also creates the user PISUPER with this password; if it is not changed later it will remain the same as PIISUSER. The problem is that not everybody knows (basis administrators included) that PISUPER is created as a “log-on” user with admin roles, instead of as a system user (like the rest of PI* users are). So, knowing PIISUSER password can mean nearly full access to PI system if you log on with PISUPER.
On the other hand, knowing PIISUSER password means knowing PIAPPLUSER password as well, which means that I could send a message to PI system using these credentials (as if I was a trusted system) and this message would be processed as any other validated message. Obviously you should know the schema and metadata of the message, but it is not a major problem to PI developers, isn’t it? The problem is that this message can contain intrusive, dangerous or damaging content.
So , regarding to your PI system security (in any environment: Development, TEST, Production): if you want your system to be safer, you should follow at least these recommendations:
- Restrict the access to SE37 transaction. At least, restrict the execution of function module SAI_AE_DETAILS_GET. However, there are other tricky ways to run a function, which I am not going to describe, so you are not totally safe.
- Check the PISUPER user password. If it is the same as PIISUSER, then change it. Do the same with other admin users: SAP *, SIDADM, J2EE_ADMIN, etc
- I would tell you: change PI*users passwords, but even if you change all PI*users passwords (which can be a little mess, as everybody knows), whenever you run the previous function again you will get the new password. At least, PIISUSER password …
Edited on Sep 05, 2012