SAP R/3 default password vulnerability

Summary
=======
SAP R/3 ships with four default user accounts that are protected with commonly known passwords. These
 user accounts are equipped with
 super- or power user access rights. 

As many ERP software packages SAP R/3 is capable of installing different "clients" in order
 to separate data. Each client has its
 own user account management, therefore the logon information consists of three different components:
 username, password and client-number.
 The default user accounts are installed in _every_ client.

Whereas the default passwords are normally changed in production clients, they are often left unchang
ed in the non-production (system-)
 clients that are available in each default installation.

Although SAP AG recommends changing the default passwords (see [1]), we have found many installations
 - even on the Internet - that
 are still vulnerable to this attack.


Affected versions
=================
All SAP R/3 releases since 2.0B(?) up to 4.6D with unchanged default passwords


Detailed analysis
=================
A typical SAP R/3 installation consists of at least 4 clients. Three of them are base SAP R/3 clients
 that should be in every SAP
 instance. These are SAP R/3 pre-delivered clients that can/should never be modified under any circum
stances:

000 SAP R/3 (base image, used for release changes, updates and special customizing tasks)
001 Auslieferungmandant R11 (a copy of client 000)
066 EarlyWatch (used for technical monitoring by SAP AG)

At least one additional client has to be available to act as the production client. Additional produc
tion and/or testing and development
 clients may be available. The client-ID has to be chosen between 002 and 999 (omitting 066).

Each client has its own user account management, therefore the logon information consists of three di
fferent components: username,
 password and client-number. The following default users are implemented into every client (000, 001,
 066 and all other clients -
 default passwords in brackets):

SAP* (06071992)
SAPCPIC (ADMIN)
DDIC (19920706)

In client 066 (sometimes, but not always, also existing in the other clients) there is the additional
 default user EARLYWATCH (password
 SUPPORT). 

Also note that once you delete SAP* the user is automatically "reborn" with the password PA
SS unless the system in explicitly configured
 not to do so.

Depending on your installation also the user TMSADM (used in the Transport Management System) may be 
present.

The users SAP* and DDIC are online users provided with super user access rights; they can read and mo
dify all data in the given client.
 Furthermore, they are also able to access and modify certain data in the other clients, especially d
ata in production clients. By
 using cross-client table modifications they may be used to alter data structures resulting in a syst
em inconsistency (call it a "denial
 of service"-condition). A very worthwhile target are SAP* and DDIC in client 000. 

EARLYWATCH is also an online user, but with restricted system access rights.

The user SAPCPIC is not an online user, so it cannot be used to log onto the system in online mode. N
evertheless, it is also critical
 as it may be used to execute RFC commands originating from other R/3-systems (Remote Function Calls 
- it is beyond the scope of this
 document to describe the usage and the dangers resulting from RFC).

A special graphical user interface (SAP-GUI) is needed to connect to SAP R/3 systems. A Linux version
 is freely available (see [2]
 for instructions on how to install SAP-GUI for SuSE Linux). The logon screen can be invoked by using
 the command

guistart /H/<IP>/S/<port>

where <IP> = SAP R/3 application server and <port> = port number SAP is listening at.

SAP R/3 application servers and thus SAP R/3 systems can be identified by port scanning for port 3200
. Although the system can be
 configured to listen to an arbitrary port this is not seen very often in the wild, so 3200 is a very
 good try indeed. 

Other vulnerabilities are present for SAP database servers (see [3] - German only), but they are not 
affected by this vulnerability.


Workaround / Solution
=====================
The protection of special users is described in detail at [4].


References
==========
[1] https://www.sap-ag.de/securityguide (access restrictions of SAG AG apply)
[2] http://sdb.suse.de/en/sdb/html/sapgui.html 
[3] http://www.lan-ks.de/~jochen/sap-r3/ora-hack.html
[4] http://help.sap.com/saphelp_45b/helpdata/en/52/671785439b11d1896f0000e8322d00/content.htm
[5] http://www.hoelzner.de/security/sap_default_passwords.php (a copy of this posting, but hopefully 
maintained with additional and
 revised information in the future...)


Addendum
========
You may say that exploiting default passwords is 14m3. Well, it is, indeed. But having analysed the s
ecurity of SAP systems for quite
 some years now I always thought how appalling it is that so many companies are exposing their intern
al R/3's to unauthorized access
 through their own employees by leaving all that default accounts untouched. Then we asked ourselves "
How many R/3 systems may be
 out there on the Internet that are vulnerable to that same 'exploit'?" So we started a small, n
on-representative scan and it was
 really alarming, frightening, horrific how many systems a malicious hacker could have compromised. S
o, anyone of you who operates
 R/3, you have been warned...