Skip to Content

SAP default passwords are nothing new. The top five default passwords are presented in many books and articles on security issues. One would hardly find anything new on this topic.

Carrying out SAP security audit for a client, we came across an unknown password of the user TMSADM. The password was displayed by the system itself: during the default accounts analysis, the following results were obtained in the known report RSUSR003.

/wp-content/uploads/2013/02/1_188890.png

The default password for TMSADM — PASSWORD — really is well known, but this is the first time I have seen the password $1Pawd2&. Let’s sort it out…

The first thing that comes to your mind is to search on the Internet. Google gives two references. The SAP website, six. None of them clarifies the matter: the mysterious password is mainly discovered in published fragments of the ABAP code.

Apparently, we should look for the answers in the code. We open the source code of the report RSUSR003 and have no difficulty in finding the message we’ve seen on the screen before (message 028).

/wp-content/uploads/2013/02/2_188891.png

We also find default passwords hashes that are implemented to the program source text. Interestingly enough that there are two groups of hashes for the user TMSADM: one for the password PASSWORD and another for $1Pawd2&. Here they are (they might be useful for audit, penetration testing etc.).

*  EARLYWATCH
   lc_ewa TYPE xucode VALUE ’13C810002A147DEE’,
   lc_ewb TYPE xucode VALUE ‘BD5E494D3ECBF5E2’,
   lc_ewd TYPE xucode VALUE ‘573822832DF89B9C’,
   lc_ewe TYPE xucode VALUE ‘B3ADDFE95DCD036F’,
   lc_ewf1 TYPE hash160x VALUE ‘924127D88EE3C1820A2C88495EC4825E819C9249’,
   lc_ewf2 TYPE hash160x VALUE ‘760293CCD7AC111298A7AC70D3304242E442320F’,
*  CPIC
   lc_cpa TYPE xucode VALUE ‘FC49DBF6F3FDCF36’,
   lc_cpb TYPE xucode VALUE ‘7D806C248F03813D’,
   lc_cpd TYPE xucode VALUE ’35C7AB28316EA22F’,
   lc_cpe TYPE xucode VALUE ‘5A5F45726821A147’,
   lc_cpf1 TYPE hash160x VALUE ’57CF364A7D83FA563025C7BCFFFB3B579DFB23F3′,
   lc_cpf2 TYPE hash160x VALUE ’38AE55102813F3BBBC3B3BCA09285ED5A9E0423F’,
*  DDIC
   lc_dda TYPE xucode VALUE ‘5FA752863FB70BA9’,
   lc_ddb TYPE xucode VALUE ’61D26428640DBAB5′,
   lc_ddd TYPE xucode VALUE ‘DCA44BB71C073A05’,
   lc_dde TYPE xucode VALUE ’08FA7683A46D9AA9′,
   lc_ddf TYPE hash160x VALUE ‘905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45’,
*  SAP*
   lc_saa TYPE xucode VALUE ‘C75E6D9600AB5710’,
   lc_sab TYPE xucode VALUE ‘D0BFF4276DA1E208’,
   lc_sad TYPE xucode VALUE ‘A83ECB9EC4D34C08’,
   lc_sae TYPE xucode VALUE ‘95984B6A25BA20E9’,
   lc_saf TYPE hash160x VALUE ‘8948310AF768FA9061598E8F68FD144CE65B7480’,
*  TMSADM (PW1)
   lc_tms1a TYPE xucode VALUE ‘7671D2F2729F27F0’,
   lc_tms1b TYPE xucode VALUE ‘942B9DC0F2394D85’,
   lc_tms1d TYPE xucode VALUE ‘7C6433CE69099272’,
   lc_tms1e TYPE xucode VALUE ‘940BAB0E12A36DC2’,
   lc_tms1  TYPE hash160x VALUE ‘C9AA19DA354DC8397D7AC8EA8B4C04DF49CB58FF’,
*  TMSADM (PW2)
   lc_tms2a TYPE xucode VALUE ’05CB79BE189802A0′,
   lc_tms2b TYPE xucode VALUE ‘B7E2F82C0A3E54C4’,
   lc_tms2d TYPE xucode VALUE ‘4DD4438D3C19138C’,
   lc_tms2e TYPE xucode VALUE ‘D527A90BC0CAF484’,
   lc_tms2  TYPE hash160x VALUE ‘A6BF38EE57F90B78C8D88A5212BBF1BA9A966ABB’

  1. Note. There are 5 hashes for every account: one for every hashing algorithm used in SAP (A, B, D, E, F). Some accounts (CPIC, EARLYWATCH) each have two password hashes for the F algorithm: for passwords in upper and lower case.

Now we can remember that there was no information on the transport management system user TMSADM in previous versions of the RSUSR003 report. As we can see, there’s no such account in the analysis results output.

/wp-content/uploads/2013/02/3_188892.png

Apparently, the report has recently been revised and new versions contain information on default passwords and TMSADM password. It has been revised… And a new unknown password has appeared. Checking. Let’s see the very beginning of the source code: it usually has information on updates and amendments that were made.

/wp-content/uploads/2013/02/4_188893.png

The very last update of the source code is related to adding user checks. For more information let’s see the note (issued in a month following the code changing, on April 27, 2011).

/wp-content/uploads/2013/02/5_188894.png

Everything is confirmed. In early 2011, SAP developers made changes to the report RSUSR003, added checks for the user TMSADM providing two possible passwords: PASSWORD and $1Pawd2&.

Conclusions we can draw:

  1. 1. While carrying out the SAP systems security audit, the existence of another default password for TMSADM should be taken into account. Make sure that the used password differs from the two default passwords. (Password $1Pawd2& was discovered in 2 of our test benches, so it can be easily found in your system.)
  2. 2. Specialists responsible for the security of their own SAP systems should implement note 1552894 to make sure default passwords for the system users were changed, including the one for the user TMSADM.

Authors: Dmitry Gutsko, Positive Research

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Frank Buchholz

    Some additional remarks:

    • The user TMSADM is only required in client 000.
    • The user TMSADM should have user type B=System (by the way: forget user type C, as it’s never required anymore. Use user type B for all background and all remote users.)
    • The user TMSADM should only have authorization profile S_A.TMSADM, but no other profile, role or reference user assignment.

    Here is an overview about the most important notes concerning user TMSADM.

    White Papers:

    Secure Configuration of SAP NetWeaver Application Server Using ABAP
    Version 1.2 January 2012
    https://service.sap.com/~sapdownload/011000358700000968282010E/SAP-Sec-Rec.pdf

    Documentation / Implementation:

    Note 1515926 – Update #1 to Security Note 1414256
    https://service.sap.com/sap/support/notes/1515926

    Note 1414256 – Changing TMSADM password is too complex
    https://service.sap.com/sap/support/notes/1414256

    Note 1488406 – Handling the generated user TMSADM
    https://service.sap.com/sap/support/notes/1488406

    Note 1486759 – Blocking unauthorized access to system using TMSADM to 4.6B
    https://service.sap.com/sap/support/notes/1486759

    Note 761637 – Logon restrictions prevent TMSADM logon
    https://service.sap.com/sap/support/notes/761637

    Related Topics:

    Note 1726102 – EWA: “Default Passwords of Standard Users”: User TMSADM
    https://service.sap.com/sap/support/notes/1726102

    Note 1552894 – RSUSR003: Checking the standard password for user TMSADM
    https://service.sap.com/sap/support/notes/1552894

    Note 863362 – Security checks in the SAP EarlyWatch Alert
    https://service.sap.com/sap/support/notes/863362

    Consulting Service (which would include the handling of the TMS):

    Note 1504652 – Consulting: Secure Configuration of Application Server ABAP
    https://service.sap.com/sap/support/notes/1504652

    Mit freundlichen Grüßen / Kind regards
    Frank Buchholz
    Active Global Support – Security Services
    mailto:securitycheck@sap.com

    Security Optimization Service
    https://service.sap.com/sos
    Security Patch Process FAQ
    https://scn.sap.com/community/security/blog/2012/03/27/security-patch-process-faq
    Security Notes
    https://service.sap.com/securitynotes
    System Recommendations for Security Notes
    https://service.sap.com/sysrec
    Configuration Validation
    http://wiki.sdn.sap.com/wiki/display/TechOps/ConfVal_Home

    Community / Forum / Blogs @ SCN
    Security
    http://scn.sap.com/community/security
    Identity Management
    http://scn.sap.com/community/netweaver-idm
    Governance, Risk, and Compliance
    http://scn.sap.com/community/grc

    HANA Security
    http://help.sap.com/hana_appliance#section3

    (0) 

Leave a Reply