SAP default passwords are nothing new. The top five default passwords are presented in many books and articles on security issues. One would hardly find anything new on this topic.
Carrying out SAP security audit for a client, we came across an unknown password of the user TMSADM. The password was displayed by the system itself: during the default accounts analysis, the following results were obtained in the known report RSUSR003.
The default password for TMSADM — PASSWORD — really is well known, but this is the first time I have seen the password $1Pawd2&. Let’s sort it out…
The first thing that comes to your mind is to search on the Internet. Google gives two references. The SAP website, six. None of them clarifies the matter: the mysterious password is mainly discovered in published fragments of the ABAP code.
Apparently, we should look for the answers in the code. We open the source code of the report RSUSR003 and have no difficulty in finding the message we’ve seen on the screen before (message 028).
We also find default passwords hashes that are implemented to the program source text. Interestingly enough that there are two groups of hashes for the user TMSADM: one for the password PASSWORD and another for $1Pawd2&. Here they are (they might be useful for audit, penetration testing etc.).
lc_ewa TYPE xucode VALUE ’13C810002A147DEE’,
lc_ewb TYPE xucode VALUE ‘BD5E494D3ECBF5E2’,
lc_ewd TYPE xucode VALUE ‘573822832DF89B9C’,
lc_ewe TYPE xucode VALUE ‘B3ADDFE95DCD036F’,
lc_ewf1 TYPE hash160x VALUE ‘924127D88EE3C1820A2C88495EC4825E819C9249’,
lc_ewf2 TYPE hash160x VALUE ‘760293CCD7AC111298A7AC70D3304242E442320F’,
lc_cpa TYPE xucode VALUE ‘FC49DBF6F3FDCF36’,
lc_cpb TYPE xucode VALUE ‘7D806C248F03813D’,
lc_cpd TYPE xucode VALUE ’35C7AB28316EA22F’,
lc_cpe TYPE xucode VALUE ‘5A5F45726821A147’,
lc_cpf1 TYPE hash160x VALUE ’57CF364A7D83FA563025C7BCFFFB3B579DFB23F3′,
lc_cpf2 TYPE hash160x VALUE ’38AE55102813F3BBBC3B3BCA09285ED5A9E0423F’,
lc_dda TYPE xucode VALUE ‘5FA752863FB70BA9’,
lc_ddb TYPE xucode VALUE ’61D26428640DBAB5′,
lc_ddd TYPE xucode VALUE ‘DCA44BB71C073A05’,
lc_dde TYPE xucode VALUE ’08FA7683A46D9AA9′,
lc_ddf TYPE hash160x VALUE ‘905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45’,
lc_saa TYPE xucode VALUE ‘C75E6D9600AB5710’,
lc_sab TYPE xucode VALUE ‘D0BFF4276DA1E208’,
lc_sad TYPE xucode VALUE ‘A83ECB9EC4D34C08’,
lc_sae TYPE xucode VALUE ‘95984B6A25BA20E9’,
lc_saf TYPE hash160x VALUE ‘8948310AF768FA9061598E8F68FD144CE65B7480’,
* TMSADM (PW1)
lc_tms1a TYPE xucode VALUE ‘7671D2F2729F27F0’,
lc_tms1b TYPE xucode VALUE ‘942B9DC0F2394D85’,
lc_tms1d TYPE xucode VALUE ‘7C6433CE69099272’,
lc_tms1e TYPE xucode VALUE ‘940BAB0E12A36DC2’,
lc_tms1 TYPE hash160x VALUE ‘C9AA19DA354DC8397D7AC8EA8B4C04DF49CB58FF’,
* TMSADM (PW2)
lc_tms2a TYPE xucode VALUE ’05CB79BE189802A0′,
lc_tms2b TYPE xucode VALUE ‘B7E2F82C0A3E54C4’,
lc_tms2d TYPE xucode VALUE ‘4DD4438D3C19138C’,
lc_tms2e TYPE xucode VALUE ‘D527A90BC0CAF484’,
lc_tms2 TYPE hash160x VALUE ‘A6BF38EE57F90B78C8D88A5212BBF1BA9A966ABB’
- Note. There are 5 hashes for every account: one for every hashing algorithm used in SAP (A, B, D, E, F). Some accounts (CPIC, EARLYWATCH) each have two password hashes for the F algorithm: for passwords in upper and lower case.
Now we can remember that there was no information on the transport management system user TMSADM in previous versions of the RSUSR003 report. As we can see, there’s no such account in the analysis results output.
Apparently, the report has recently been revised and new versions contain information on default passwords and TMSADM password. It has been revised… And a new unknown password has appeared. Checking. Let’s see the very beginning of the source code: it usually has information on updates and amendments that were made.
The very last update of the source code is related to adding user checks. For more information let’s see the note (issued in a month following the code changing, on April 27, 2011).
Everything is confirmed. In early 2011, SAP developers made changes to the report RSUSR003, added checks for the user TMSADM providing two possible passwords: PASSWORD and $1Pawd2&.
Conclusions we can draw:
- 1. While carrying out the SAP systems security audit, the existence of another default password for TMSADM should be taken into account. Make sure that the used password differs from the two default passwords. (Password $1Pawd2& was discovered in 2 of our test benches, so it can be easily found in your system.)
- 2. Specialists responsible for the security of their own SAP systems should implement note 1552894 to make sure default passwords for the system users were changed, including the one for the user TMSADM.
Authors: Dmitry Gutsko, Positive Research