SAP Unknown Default Password for TMSADM

Authors: Dmitry Gutsko, Positive Research

SAP default passwords are nothing new. The top five default passwords are presented in many books and articles on security issues. One would hardly find anything new on this topic.
Carrying out SAP security audit for a client, we came across an unknown password of the user TMSADM. The password was displayed by the system itself: during the default accounts analysis, the following results were obtained in the known report RSUSR003.

The default password for TMSADM — PASSWORD — really is well known, but this is the first time I have seen the password $1Pawd2&. Let\’s sort it out…
The first thing that comes to your mind is to search on the Internet. Google gives two references. The SAP website, six. None of them clarifies the matter: the mysterious password is mainly discovered in published fragments of the ABAP code.

Apparently, we should look for the answers in the code. We open the source code of the report RSUSR003 and have no difficulty in finding the message we\’ve seen on the screen before (message 028).

We also find default passwords hashes that are implemented to the program source text. Interestingly enough that there are two groups of hashes for the user TMSADM: one for the password PASSWORD and another for $1Pawd2&. Here they are (they might be useful for audit, penetration testing etc.).

TYPE xucode VALUE \’13C810002A147DEE\’,
TYPE xucode VALUE \’BD5E494D3ECBF5E2\’,
TYPE xucode VALUE \’573822832DF89B9C\’,
TYPE xucode VALUE \’B3ADDFE95DCD036F\’,
TYPE hash160x VALUE \’924127D88EE3C1820A2C88495EC4825E819C9249\’,
TYPE hash160x VALUE \’760293CCD7AC111298A7AC70D3304242E442320F\’,
TYPE xucode VALUE \’FC49DBF6F3FDCF36\’,
TYPE xucode VALUE \’7D806C248F03813D\’,
TYPE xucode VALUE \’35C7AB28316EA22F\’,
TYPE xucode VALUE \’5A5F45726821A147\’,
TYPE hash160x VALUE \’57CF364A7D83FA563025C7BCFFFB3B579DFB23F3\’,
TYPE hash160x VALUE \’38AE55102813F3BBBC3B3BCA09285ED5A9E0423F\’,
TYPE xucode VALUE \’5FA752863FB70BA9\’,
TYPE xucode VALUE \’61D26428640DBAB5\’,
TYPE xucode VALUE \’DCA44BB71C073A05\’,
TYPE xucode VALUE \’08FA7683A46D9AA9\’,
TYPE hash160x VALUE \’905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45\’,
*  SAP*
TYPE xucode VALUE \’C75E6D9600AB5710\’,
TYPE xucode VALUE \’D0BFF4276DA1E208\’,
TYPE xucode VALUE \’A83ECB9EC4D34C08\’,
TYPE xucode VALUE \’95984B6A25BA20E9\’,
TYPE hash160x VALUE \’8948310AF768FA9061598E8F68FD144CE65B7480\’,
TYPE xucode VALUE \’7671D2F2729F27F0\’,
TYPE xucode VALUE \’942B9DC0F2394D85\’,
TYPE xucode VALUE \’7C6433CE69099272\’,
TYPE xucode VALUE \’940BAB0E12A36DC2\’,
TYPE hash160x VALUE \’C9AA19DA354DC8397D7AC8EA8B4C04DF49CB58FF\’,
TYPE xucode VALUE \’05CB79BE189802A0\’,
TYPE xucode VALUE \’B7E2F82C0A3E54C4\’,
TYPE xucode VALUE \’4DD4438D3C19138C\’,
TYPE xucode VALUE \’D527A90BC0CAF484\’,
TYPE hash160x VALUE \’A6BF38EE57F90B78C8D88A5212BBF1BA9A966ABB\’

Note. There are 5 hashes for every account: one for every hashing algorithm used in SAP (A, B, D, E, F). Some accounts (CPIC, EARLYWATCH) each have two password hashes for the F algorithm: for passwords in upper and lower case.
Now we can remember that there was no information on the transport management system user TMSADM in previous versions of the RSUSR003 report. As we can see, there\’s no such account in the analysis results output.

Apparently, the report has recently been revised and new versions contain information on default passwords and TMSADM password. It has been revised… And a new unknown password has appeared. Checking. Let\’s see the very beginning of the source code: it usually has information on updates and amendments that were made.

The very last update of the source code is related to adding user checks. For more information let\’s see the note (issued in a month following the code changing, on April 27, 2011).

Everything is confirmed. In early 2011, SAP developers made changes to the report RSUSR003, added checks for the user TMSADM providing two possible passwords: PASSWORD and $1Pawd2&.

Conclusions we can draw: 
  1. While carrying out the SAP systems security audit, the existence of another default password for TMSADM should be taken into account. Make sure that the used password differs from the two default passwords. (Password $1Pawd2& was discovered in 2 of our test benches, so it can be easily found in your system.)
  2. Specialists responsible for the security of their own SAP systems should implement note 1552894 to make sure default passwords for the system users were changed, including the one for the user TMSADM.

314 thoughts on “SAP Unknown Default Password for TMSADM

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.