Skip to Content
Author's profile photo Former Member

SAP Unknown Default Password for TMSADM

SAP default passwords are nothing new. The top five default passwords are presented in many books and articles on security issues. One would hardly find anything new on this topic.

Carrying out SAP security audit for a client, we came across an unknown password of the user TMSADM. The password was displayed by the system itself: during the default accounts analysis, the following results were obtained in the known report RSUSR003.

/wp-content/uploads/2013/02/1_188890.png

The default password for TMSADM — PASSWORD — really is well known, but this is the first time I have seen the password $1Pawd2&. Let’s sort it out…

The first thing that comes to your mind is to search on the Internet. Google gives two references. The SAP website, six. None of them clarifies the matter: the mysterious password is mainly discovered in published fragments of the ABAP code.

Apparently, we should look for the answers in the code. We open the source code of the report RSUSR003 and have no difficulty in finding the message we’ve seen on the screen before (message 028).

/wp-content/uploads/2013/02/2_188891.png

We also find default passwords hashes that are implemented to the program source text. Interestingly enough that there are two groups of hashes for the user TMSADM: one for the password PASSWORD and another for $1Pawd2&. Here they are (they might be useful for audit, penetration testing etc.).

*  EARLYWATCH
   lc_ewa TYPE xucode VALUE ’13C810002A147DEE’,
   lc_ewb TYPE xucode VALUE ‘BD5E494D3ECBF5E2’,
   lc_ewd TYPE xucode VALUE ‘573822832DF89B9C’,
   lc_ewe TYPE xucode VALUE ‘B3ADDFE95DCD036F’,
   lc_ewf1 TYPE hash160x VALUE ‘924127D88EE3C1820A2C88495EC4825E819C9249’,
   lc_ewf2 TYPE hash160x VALUE ‘760293CCD7AC111298A7AC70D3304242E442320F’,
*  CPIC
   lc_cpa TYPE xucode VALUE ‘FC49DBF6F3FDCF36’,
   lc_cpb TYPE xucode VALUE ‘7D806C248F03813D’,
   lc_cpd TYPE xucode VALUE ’35C7AB28316EA22F’,
   lc_cpe TYPE xucode VALUE ‘5A5F45726821A147’,
   lc_cpf1 TYPE hash160x VALUE ’57CF364A7D83FA563025C7BCFFFB3B579DFB23F3′,
   lc_cpf2 TYPE hash160x VALUE ’38AE55102813F3BBBC3B3BCA09285ED5A9E0423F’,
*  DDIC
   lc_dda TYPE xucode VALUE ‘5FA752863FB70BA9’,
   lc_ddb TYPE xucode VALUE ’61D26428640DBAB5′,
   lc_ddd TYPE xucode VALUE ‘DCA44BB71C073A05’,
   lc_dde TYPE xucode VALUE ’08FA7683A46D9AA9′,
   lc_ddf TYPE hash160x VALUE ‘905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45’,
*  SAP*
   lc_saa TYPE xucode VALUE ‘C75E6D9600AB5710’,
   lc_sab TYPE xucode VALUE ‘D0BFF4276DA1E208’,
   lc_sad TYPE xucode VALUE ‘A83ECB9EC4D34C08’,
   lc_sae TYPE xucode VALUE ‘95984B6A25BA20E9’,
   lc_saf TYPE hash160x VALUE ‘8948310AF768FA9061598E8F68FD144CE65B7480’,
*  TMSADM (PW1)
   lc_tms1a TYPE xucode VALUE ‘7671D2F2729F27F0’,
   lc_tms1b TYPE xucode VALUE ‘942B9DC0F2394D85’,
   lc_tms1d TYPE xucode VALUE ‘7C6433CE69099272’,
   lc_tms1e TYPE xucode VALUE ‘940BAB0E12A36DC2’,
   lc_tms1  TYPE hash160x VALUE ‘C9AA19DA354DC8397D7AC8EA8B4C04DF49CB58FF’,
*  TMSADM (PW2)
   lc_tms2a TYPE xucode VALUE ’05CB79BE189802A0′,
   lc_tms2b TYPE xucode VALUE ‘B7E2F82C0A3E54C4’,
   lc_tms2d TYPE xucode VALUE ‘4DD4438D3C19138C’,
   lc_tms2e TYPE xucode VALUE ‘D527A90BC0CAF484’,
   lc_tms2  TYPE hash160x VALUE ‘A6BF38EE57F90B78C8D88A5212BBF1BA9A966ABB’

  1. Note. There are 5 hashes for every account: one for every hashing algorithm used in SAP (A, B, D, E, F). Some accounts (CPIC, EARLYWATCH) each have two password hashes for the F algorithm: for passwords in upper and lower case.

Now we can remember that there was no information on the transport management system user TMSADM in previous versions of the RSUSR003 report. As we can see, there’s no such account in the analysis results output.

/wp-content/uploads/2013/02/3_188892.png

Apparently, the report has recently been revised and new versions contain information on default passwords and TMSADM password. It has been revised… And a new unknown password has appeared. Checking. Let’s see the very beginning of the source code: it usually has information on updates and amendments that were made.

/wp-content/uploads/2013/02/4_188893.png

The very last update of the source code is related to adding user checks. For more information let’s see the note (issued in a month following the code changing, on April 27, 2011).

/wp-content/uploads/2013/02/5_188894.png

Everything is confirmed. In early 2011, SAP developers made changes to the report RSUSR003, added checks for the user TMSADM providing two possible passwords: PASSWORD and $1Pawd2&.

Conclusions we can draw:

  1. 1. While carrying out the SAP systems security audit, the existence of another default password for TMSADM should be taken into account. Make sure that the used password differs from the two default passwords. (Password $1Pawd2& was discovered in 2 of our test benches, so it can be easily found in your system.)
  2. 2. Specialists responsible for the security of their own SAP systems should implement note 1552894 to make sure default passwords for the system users were changed, including the one for the user TMSADM.

Authors: Dmitry Gutsko, Positive Research

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Frank Buchholz
      Frank Buchholz

      Some additional remarks:

      • The user TMSADM is only required in client 000.
      • The user TMSADM should have user type B=System (by the way: forget user type C, as it's never required anymore. Use user type B for all background and all remote users.)
      • The user TMSADM should only have authorization profile S_A.TMSADM, but no other profile, role or reference user assignment.

      Here is an overview about the most important notes concerning user TMSADM.

      White Papers:

      Secure Configuration of SAP NetWeaver Application Server Using ABAP
      Version 1.2 January 2012
      https://service.sap.com/~sapdownload/011000358700000968282010E/SAP-Sec-Rec.pdf

      Documentation / Implementation:

      Note 1515926 - Update #1 to Security Note 1414256
      https://service.sap.com/sap/support/notes/1515926

      Note 1414256 - Changing TMSADM password is too complex
      https://service.sap.com/sap/support/notes/1414256

      Note 1488406 - Handling the generated user TMSADM
      https://service.sap.com/sap/support/notes/1488406

      Note 1486759 - Blocking unauthorized access to system using TMSADM to 4.6B
      https://service.sap.com/sap/support/notes/1486759

      Note 761637 - Logon restrictions prevent TMSADM logon
      https://service.sap.com/sap/support/notes/761637

      Related Topics:

      Note 1726102 - EWA: "Default Passwords of Standard Users": User TMSADM
      https://service.sap.com/sap/support/notes/1726102

      Note 1552894 - RSUSR003: Checking the standard password for user TMSADM
      https://service.sap.com/sap/support/notes/1552894

      Note 863362 - Security checks in the SAP EarlyWatch Alert
      https://service.sap.com/sap/support/notes/863362

      Consulting Service (which would include the handling of the TMS):

      Note 1504652 - Consulting: Secure Configuration of Application Server ABAP
      https://service.sap.com/sap/support/notes/1504652

      Mit freundlichen Grüßen / Kind regards
      Frank Buchholz
      Active Global Support - Security Services
      mailto:securitycheck@sap.com

      Security Optimization Service
      https://service.sap.com/sos
      Security Patch Process FAQ
      https://scn.sap.com/community/security/blog/2012/03/27/security-patch-process-faq
      Security Notes
      https://service.sap.com/securitynotes
      System Recommendations for Security Notes
      https://service.sap.com/sysrec
      Configuration Validation
      http://wiki.sdn.sap.com/wiki/display/TechOps/ConfVal_Home

      Community / Forum / Blogs @ SCN
      Security
      http://scn.sap.com/community/security
      Identity Management
      http://scn.sap.com/community/netweaver-idm
      Governance, Risk, and Compliance
      http://scn.sap.com/community/grc

      HANA Security
      http://help.sap.com/hana_appliance#section3