Nowadays, everyone knows about the great importance of SAP systems and the critical data processed by them. Large companies install SAP Security Notes regularly so as not to repeat the mistake of Nvidia. One bug is not enough anymore to get access to all corporate SAP systems. Pentesters frequently find themselves in a situation where the OS of an SAP server has been compromised successfully, but they have not got an access to the ERP system. In addition, it is rather common to have an unprivileged account, which give them access to the encrypted password, but not to the whole system. Sometimes they even try to break into other systems with help of the passwords, which users usually use in the systems they’ve already broken, but they can’t, because they need them to be decrypted first. Where do we find the treasured password to access the financial transactions and revenues of NASDAQ monsters?
Where and how does SAP store user passwords? Are all passwords stored as hashes, or can attackers find passwords in plaintext?
This talk reviews the many places where SAP stores critical credentials, such as usernames and passwords, and, which is more interesting, the way it stores them. Methods of retrieving them will be described, and decryption utilities will be presented.
SAP GUI shortcuts, RFC connections, SAP Security Storage, logs, traces, Database links, SAP HANA Storage, you name it – all varieties of SAP modules will be discussed in this talk.
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
1. Invest in security
to secure investments
All your SAP P@$$w0ЯdZ belong to us
Dmitry Chastukhin – Director of SAP pentest/research team
2. ERPScan
Leading SAP AG partner in the field of discovering security
vulnerabilities by the number of found vulnerabilities
• Developing software for SAP security monitoring
• Talks at 40+ security conferences worldwide: BlackHat
(US/EU/DC/UAE), RSA, Defcon, CONFidence, HITB, etc.
• First to develop software for NetWeaver J2EE assessment
• The only solution to assess all areas of SAP security
• Research team with experience in different areas of security from
ERP and web security to mobile, embedded devices, and critical
infrastructure, accumulating their knowledge on SAP research.
• Local partner : PBSG. www.pbsg.pl
2erpscan.com ERPScan — invest in security to secure investments
4. SAP
• The most popular business application
• More than 250000 customers worldwide
• More than 83 % of Forbes 500 run SAP
• More than 40 % of ERP market in Poland
4erpscan.com ERPScan — invest in security to secure investments
5. SAP security
Espionage
• Stealing financial information
• Stealing corporate secrets
• Stealing supplier and customer lists
• Stealing HR data
Fraud
• False transactions
• Modification of master data
Sabotage
• Denial of service
• Modification of financial reports
• Access to technology network (SCADA) by trust relations
5erpscan.com ERPScan — invest in security to secure investments
6. Is it remotely exploitable?
> 5000 non-web SAP services exposed in the world
including Dispatcher, Message server, SapHostControl, etc.
6erpscan.com ERPScan — invest in security to secure investments
sapscan.com
7. What about other services?
0
1
2
3
4
5
6
7
8
9
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server
httpd
World
7erpscan.com ERPScan — invest in security to secure investments
8. SAP MMC – overview
• MMC is installed by default on port 5<ID>13
• Used for remote management of SAP servers
• Commands executed via SOAP interface
• By default, SSL is not implemented
• Administrative password transmitted using basic auth (Base64)
• By sniffing this password, we can get full control over the server
erpscan.com 8ERPScan — invest in security to secure investments
9. SAP MMC – attacks
• Many attacks can be implemented without authentication
• Attacks can be executed by sending SOAP requests
• Mostly, it is information disclosure and denial of service
• Also, OS command execution
erpscan.com 9ERPScan — invest in security to secure investments
11. PWN
If an attacker can read a file from server OS,
they can get clear text passwords of SAP users
and, as a result, compromise the SAP system
11erpscan.com ERPScan — invest in security to secure investments
13. Default passwords
User name Password
SAP* 06071992
PASS
DDIC 19920706
TMSADM PASSWORD
$1Pawd2&
EARLYWATCH SUPPORT
SAPCPIC ADMIN
13erpscan.com ERPScan — invest in security to secure investments
14. Passwords on client side
erpscan.com 14ERPScan — invest in security to secure investments
15. SAPGUI: History of ActiveX attacks
erpscan.com 15
Date Component Author Vulnerability Link
04.01.2007 Rfcguisink Mark Litchfield BOF http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-enjoysap-stack-
overflow/
04.01.2007 Kwedit Mark Litchfield BOF http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-enjoysap-stack-
overflow/
07.11.2008 Mdrmsap Will Dormann BOF http://www.securityfocus.com/bid/32186/info
07.01.2009 Sizerone Carsten Eiram BOF http://www.securityfocus.com/bid/33148/info
31.03.2009 WebWiewer3D Will Dormann BOF http://www.securityfocus.com/bid/34310/info
15.04.2009 Kwedit Carsten Eiram Insecure Method http://secunia.com/secunia_research/2008-56/
08.06.2009 Sapirrfc Alexander Polyakov (ERPScan) BOF http://erpscan.com/advisories/dsecrg-09-015-sap-gui-6-4-buffer-overflow-vulnerability/
28.09.2009 WebWiewer3D Alexander Polyakov (ERPScan) Insecure Method http://erpscan.com/advisories/dsecrg-09-043-sap-gui-7-1-webviewer2d-activex-
%e2%80%94-insecure-methods/
28.09.2009 WebWiewer2D Alexander Polyakov (ERPScan) Insecure Method http://erpscan.com/advisories/dsecrg-09-044-sap-gui-7-1-webviewer3d-activex-insecure-
methods/
07.10.2009 VxFlexgrid Elazar Broad ,
Alexander Polyakov (ERPScan)
BOF http://erpscan.com/advisories/dsecrg-09-017-sap-gui-vsflexgrid-activex-%e2%80%94-
buffer-overflow-vulnerability/
23.03.2010 BExGlobal Alexey Sintsov (ERPScan) Insecure Method http://erpscan.com/advisories/dsecrg-09-064-sap-gui-7-1-insecure-method-code-
execution/
unpublished Kwedit Alexander Polyakov, Alexey
Troshichev (ERPScan)
Insecure Method
14.12.2010 RFCSDK Alexey Sintsov (ERPScan) Memory Corruption http://erpscan.com/advisories/dsecrg-09-069-sap-rfc-sdk-%e2%80%94-format-string/
14.12.2010 RFCSDK Alexey Sintsov (ERPScan) Format String http://erpscan.com/advisories/dsecrg-09-070-sap-rfc-sdk-%e2%80%94-memory-
corruption/
unpublished Alexander Polyakov (ERPScan) Insecure Method
22.12.2010 NWBC Alexey Sintsov (ERPScan) Memory Corruption http://erpscan.com/advisories/dsecrg-10-010-zdi-10-290-sap-netweaver-business-client-
sapthemerepository-activex-control-remote-code-execution-vulnerability/
ERPScan — invest in security to secure investments
16. Passwords on client side
• Attack via ActiveX
‒ A lot of issues with RCE inside (1519966, 1327004, 1092631, …)
• Attack via client bugs
‒ Buffer overflow in saplogon.exe (1504547)
What after that?
SapLogon shortcuts!
Often, lazy users store password for SAP account in shortcuts
16erpscan.com ERPScan — invest in security to secure investments
17. Passwords on client side
[System]
Name=DM0
Description=Test Sap Server
Client=800
[User]
Name=SAP*
Language=EN
Password=PW_48B7231FD1FE390C
[Function]
Title=myShortcut
Command=se16
[Configuration]
WorkDir=C:Documents and SettingsAdministratorMy DocumentsSAPSAP GUI
[Options]
Reuse=1
This is how a typical shortcut looks like…
File: <name>.sap
17erpscan.com ERPScan — invest in security to secure investments
18. Passwords on client side
[Label]
Key1=myShortcut
[Command]
Key1=-
desc="Test Sap Server"
-sid="DM0"
-clt="800"
-u="SAP*"
-l="EN"
-tit="myShortcut"
-cmd="se16"
-wd="C:Documents and SettingsAdministratorMy DocumentsSAPSAP GUI"
-ok="/nse16"
-pwenc="PW_48B7231FD1FE390C"
…or like that
File: sapshortcut.ini
18erpscan.com ERPScan — invest in security to secure investments
19. Passwords on client side
pwenc="PW_48B7231FD1FE390C"
PW_48B7231FD1FE390C
48B7231FD1FE390C
I used this password: 06071992
Looks like XOR encryption
19erpscan.com ERPScan — invest in security to secure investments
20. Passwords on client side
• After a few experiments, we found out:
– Yes, this is XOR
– Yes, the key is static for all SAPLogon
• The key is:
788113…dc49b0
20erpscan.com ERPScan — invest in security to secure investments
21. Passwords on client side
• …and the PY code to decrypt
key="788…"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in
zip(s1,s2))
enc_pass="PW_48B7231FD1FE390C"
dec_pass=sxor(enc_pass[3:].decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass
21erpscan.com ERPScan — invest in security to secure investments
22. Prevention
• Don’t use SAPGUI 6.4 (there are no patches for
some vulns)
• Patch SAPGUI with the latest SP
• Don’t store password in shortcuts
(HKCUSoftwareSAPSAPShortcutSecurity EnablePassword=0)
• Make sure that you do not activate the storage
of passwords in SAP shortcuts
• Authentication security for SAP shortcuts:
http://help.sap.com/SAPHELP_NWPI71/helpdata/en/4d/dc9db9bc
0e02cfe10000000a42189b/content.htm
erpscan.com 22ERPScan — invest in security to secure investments
23. Passwords from USR02, USH02,
USRPWDHISTORY
erpscan.com 23ERPScan — invest in security to secure investments
24. USR02 password hash
• Well known password area
• Hash algorithm:
– CODVN A
– CODVN B (MD5-based)
– CODVN D (MD5-based)
– CODVN E (MD5-based)
– CODVN F (SHA1-based)
– CODVN G (Code versions B & F)
– CODVN H (SHA-1-based)
– CODVN I (Code versions B, F & H)
• Just use John the Ripper
24erpscan.com ERPScan — invest in security to secure investments
25. Prevention
• Use the latest algorithm
• SAP Note 2467: Password rules and preventing incorrect logons
• SAP Note 721119: Logon with (delivered) default user fails
• SAP Note 735356: Special character in passwords; reactivation not possible
• SAP Note 862989: New password rules as of SAP NetWeaver 2004s
• SAP Note 874738: New password hash calculation procedure (code version E)
• SAP Note 991968: Value list for login/password_hash_algorithm
• SAP Note 1023437: Downwardly incompatible passwords since NW2004s
• SAP Note 1237762: Protection against password hash attacks
• SAP Note 1300104: CUA – New password hash procedures - Background
information
• SAP Note 1458262: Recommended settings for password hash algorithms
• SAP Note 1484692: Protect read access to password hash value tables
• SAP Note 1488159: SUIM – RSUSR003 – Incorrect results for CODVN = F
erpscan.com 25ERPScan — invest in security to secure investments
26. Passwords from RFC request
erpscan.com 26ERPScan — invest in security to secure investments
27. Passwords on client side
27erpscan.com ERPScan — invest in security to secure investments
28. Passwords on client side
• If an attacker caches an RFC request with logon data, he will be:
– Happy because he got the login and password
– Upset because the password is encrypted
– Happy because the encryption is just a XOR (lol)
– Happy because the key is static
313ec…a4021
– Very happy because he got the clear text password
28erpscan.com ERPScan — invest in security to secure investments
29. Passwords on client side
• …and the PY code to decrypt
key="313e…"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in
zip(s1,s2))
enc_pass=“<pwd_there>"
dec_pass=sxor(enc_pass.decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass
29erpscan.com ERPScan — invest in security to secure investments
30. Prevention
• Secure RFC connection using SNC
• SAP Security Note 1724516
• RFC and SNC:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/72/e52c405
7cb185de10000000a1550b0/content.htm
erpscan.com 30ERPScan — invest in security to secure investments
32. SAP VisualAdmin
erpscan.com 32
• SAP Visual Admin – a remote tool for controlling J2EE Engine
• Uses the P4 protocol – SAP’s proprietary
• By default, all data transmitted in cleartext
• P4 can be configured to use SSL to prevent MitM
• Passwords are transmitted by some sort of encryption
ERPScan — invest in security to secure investments
35. Prevention
• Secure P4 connection using SSL
• SAP Security Note 1724516
• Using P4 protocol over a secure connection:
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/2d9ba88
aef4bb9e10000000a42189b/content.htm
erpscan.com 35ERPScan — invest in security to secure investments
36. SAP JAVA Security Storage
erpscan.com 36ERPScan — invest in security to secure investments
37. SecStore
• The AS Java stores security-relevant information encrypted in a
file in the file system
• The AS Java stores the following security-relevant information in
files in the file system:
– Database user SAP<SID>DB and its password
– Database connection information
– Administrator user and its password
• Secure storage file is located at :
usrsap<SID>SYSglobalsecuritydataSecStore.properties
37erpscan.com ERPScan — invest in security to secure investments
39. SecStore
• OK. TripleDES. We heed a key for decryption
• The main problem is that the key file is located in the same
directory as the encrypted data:
usrsap<SID>SYSglobalsecuritydataSecStore.key
• The key consists of two parts:
– Version information
– Encrypted key phrase
39erpscan.com ERPScan — invest in security to secure investments
40. SecStore
• Version information. It affects the TripleDES key
– If version >= 7.00.000, then the Triple DES key = key phrase + <SID>
• Encrypted key phrase
– By default, it is the initial password which the administrator sets up during
SAP system installation. Often, this phase equals to the DB password or an
SAP administrator account password (SAP*, DDIC, J2EE_Admin, etc.)
– For encrypting the key phrase, XOR algorithm with static key is used
43,-74…,-41,-67
• That’s why, if an attacker only got the SecStore.key file, they can
also get access into SAP, because they have the initial password
40erpscan.com ERPScan — invest in security to secure investments
41. SecStore
• OK. We have the encrypted passwords (SecStore.properties)
• We have the decrypted key (SecStore.key)
• We can get all sensitive information from Security Storage
• As I said, data’s encrypted by the TripleDES algorithm
• More precisely, the encryption uses the TripleDES algorithm in
CBC mode using a secret key which is derived from a password
with the SHA hash algorithm
– The key is the key phrase from SecStore.key + <SID> (if version >=
7.00.000)
– The salt is the value 0000000000000000
41erpscan.com ERPScan — invest in security to secure investments
42. SecStore
• We also wrote a tool which decrypts all the stuff from SAP JAVA
AS Security Storage (SecStore_Cr.jar)
• Also, SAP Secure Store file can have another name (ex.
JUpgrade.properties) and store other interesting data, like:
– Password for SAP OS user (SIDADM)
– DB password
– DDIC password
– etc…
42erpscan.com ERPScan — invest in security to secure investments
43. Prevention
• Install SAP Note 1619539
• Restrict read access to files SecStore.properties,
JUpgrade.properties, and SecStore.key
• Managing secure storage in the file system:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/cd/14c93ec2
f7df6ae10000000a114084/content.htm
erpscan.com 43ERPScan — invest in security to secure investments
44. Passwords from log files
erpscan.com 44ERPScan — invest in security to secure investments
45. Log files
• We know about many places where SAP writes logs
• Administrator can define the verbosity level
• Attacker can found many interesting things in log files:
information about the system, information about the users,
even session information
• Very interesting path with logs: /sapinst_instdir/
But what about passwords?
45erpscan.com ERPScan — invest in security to secure investments
46. Log files
• Passwords in SAP log files looks like that:
46erpscan.com ERPScan — invest in security to secure investments
dev_umconfigurator.trc
47. Log files
• Sometimes, we can find a clear text password
47erpscan.com ERPScan — invest in security to secure investments
sapinst_dev.<n>.log
48. Log files
• Sometimes, we can find an encrypted password
48erpscan.com ERPScan — invest in security to secure investments
49. Log files
• Guess what type of encryption is used?
• Right! XOR with a static hardcoded key:
31…65d
• As a result, we have a decryptor:
key="31…5d"
def sxor(s1,s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))
def prepare(val):
encoco=val.split("|")
rez=""
for a in encoco:
rez= rez + str(hex(int(a)).replace("0x",""))
return rez
encr=prepare(raw_input("Enter encrypted password:"))
dec_pass=sxor(encr.decode("hex"),key.decode("hex"))
print "Decoded password is: "+dec_pass
49erpscan.com ERPScan — invest in security to secure investments
50. Log files
• The same story with the config file
usrsap<SID>configusagetypes.properties
50erpscan.com ERPScan — invest in security to secure investments
51. Prevention
• Don’t use TRACE_LEVEL = 3
• Delete traces when work is finished
• Mask security-sensitive data in HTTP access log
• Incrementing/decrementing the trace level:
https://help.sap.com/saphelp_nwpi71/helpdata/en/46/962416a5a
613e8e10000000a155369/content.htm
erpscan.com 51ERPScan — invest in security to secure investments
52. Passwords from SLD config file
erpscan.com 52ERPScan — invest in security to secure investments
53. SLD
• SLD is the central information repository for your system
landscape
• It contains information about:
– technical systems
– landscapes
– business systems
– products
– software components in your system landscape
53erpscan.com ERPScan — invest in security to secure investments
54. SLD password files
• Configuration file: usrsap<sid>DVEBMGS<nn>exe
slddest.cfg
– User name with DataSupplierLD role
– User password (wooot!)
– Host name
– Port
Encrypted by DES algorithm in the early version of SLD
Static default key is: 0A…71F
But if user specifies the key, then the key file is stored near the
encrypted data file in slddest.cfg.key
54erpscan.com ERPScan — invest in security to secure investments
55. SLD password files
• In the latest versions of SLD, another algorithm is used:
TripleDES with hardcoded key
55erpscan.com ERPScan — invest in security to secure investments
56. Prevention
• Restrict read access to file slddest.cfg
and slddest.cfg.key
• Configuring sldreg and transferring data to
SLD:
http://help.sap.com/saphelp_nw70/helpdata/en/42/ea5ff4b5d6
1bd9e10000000a11466f/content.htm
erpscan.com 56ERPScan — invest in security to secure investments
57. Passwords from ABAP SecStore
erpscan.com 57ERPScan — invest in security to secure investments
58. Password from RSECTAB
• The secure storage is a component of the SAP Web Application
Server ABAP
• It allows the encrypted storage of sensitive data that SAP
applications require when logging into other systems
• These SAP applications use the storage to store passwords:
– RFC destinations
– Exchange Infrastructure (XI)
– LDAP system users
– SAPphone
– SAPconnect
– CCMS (Generic Request and Message Generator)
• Table RSECTAB
select rawtohex(DATA) from SAPSR3.RSECTAB
58erpscan.com ERPScan — invest in security to secure investments
61. Password from RSECTAB
• TripleDES 3DES mode: DES-EDE3
• The triple DES algorithm uses the DES-EDE3 method where a 24
byte key is supplied. This means there are three DES operations
in the sequence encrypt-decrypt-encrypt with the three
different keys. The first key will be bytes 1 to 8, the second key
bytes 9 to 16 and the third key bytes 17 to 24
• Two rounds
61erpscan.com ERPScan — invest in security to secure investments
62. Password from RSECTAB
• First round
• Encrypt:
– char randomPrefix[2];
– char payload[109];
– char payloadLength;
– char magicLocal[4];
– char magicGlobalSalted[4];
– char recordIdentifierA7Hash[16];
62erpscan.com ERPScan — invest in security to secure investments
63. Password from RSECTAB
• Key for the first round of encryption base on default key:
Key’def[1] = Keydef[1] ^ (Hsup[0] & 0xF0)
Key’def[6] = Keydef[6] ^ (Hsup[0] & 0x0F)
Key’def[7] = Keydef[7] ^ (Hsup[3] & 0xF0)
Key’def[10] = Keydef[10] ^ (Hsup[1] & 0xF0)
Key’def[13] = Keydef[13] ^ (Hsup[1] & 0x0F)
Key’def[16] = Keydef[16] ^ (Hsup[4] & 0x0F)
Key’def[19] = Keydef[19] ^ (Hsup[2] & 0xF0)
Key’def[20] = Keydef[20] ^ (Hsup[2] & 0x0F)
• Where Hsup is md5(sidA7[3]+insnoA7[10])
63erpscan.com ERPScan — invest in security to secure investments
65. Password from RSECTAB
• Second round
• Encrypt all data with the default key
65erpscan.com ERPScan — invest in security to secure investments
66. Password from RSECTAB
• What about the default key?
• It is encrypted via 3DES-EDE2, too
• But the key for this encryption is hardcoded
66erpscan.com ERPScan — invest in security to secure investments
67. Prevention
• Change the default key
• SAP Security Note 1902611
• Choosing your own key:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/e0/f73d419
45bdb2be10000000a1550b0/content.htm
erpscan.com 67ERPScan — invest in security to secure investments
68. Passwords from DBCON table
erpscan.com 68ERPScan — invest in security to secure investments
69. DBCON table
• SAP has a connection with different DBs
• Administrator can manage this connection via the transaction
DBCO
• All DB connections information is stored encrypted in the table
DBCON (Description of Database Connections)
69erpscan.com ERPScan — invest in security to secure investments
71. DBCON table
• Encrypted data looks like:
V01/0030ZctvSB67Wv1OuVLazse4ORik
– BASE64 + DES
– hardcoded key: 59A…70E
– decrypted data includes static salt: BE HAPPY
71erpscan.com ERPScan — invest in security to secure investments
72. Prevention
• Restrict access to the table DBCON
• Restrict access to the transaction DBCO
• SAP Security Notes 1638280 and 1823566
erpscan.com 72ERPScan — invest in security to secure investments
74. SAP HANA
• User details (including passwords) stored in hdbuserstore
• Located in the /usr/sap/hdbclient directory
• About hdbuserstore:
‒ SSFS_HDB.DAT
‒ with user data
‒ with keys
74erpscan.com ERPScan — invest in security to secure investments
75. SAP HANA
• SSFS_HDB.DAT
• Signature: RSecSSFsData
• 3DES
• Default key is the same as in the ABAP Security Storage
75erpscan.com ERPScan — invest in security to secure investments
76. SAP HANA
• SAP HANA – in memory database
• But it drops some data into FS
– Backup
– Savepoint
“The SAP HANA database holds the bulk of its data in memory for maximum
performance, but it still uses persistent disk storage to provide a fallback in case
of failure. Data is automatically saved from memory to disk at regular
savepoints. The data belonging to a savepoint represents a consistent state of
the data on disk and remains so until the next savepoint operation has
completed., After a power failure, the database can be restarted like any disk-
based database and returns to its last consistent state”
– SAP HANA Security Guide
76erpscan.com ERPScan — invest in security to secure investments
77. SAP HANA
• “Data volume encryption ensures that anyone who can access
the data volumes on disk using operating system commands
cannot see the actual data. If data volumes are encrypted, all
pages that reside in the data area on disk are encrypted using
the AES-256-CBC algorithm.”
• “After data volume encryption has been enabled, an initial page
key is automatically generated. Page keys are never readable in
plain text, but are encrypted themselves using a dedicated
persistence encryption root key.”
77erpscan.com ERPScan — invest in security to secure investments
78. SAP HANA
“SAP HANA uses SAP NetWeaver SSFS to protect the root encryption keys that
are used to protect all encryption keys used in the SAP HANA system from
unauthorized access.”
• SSFS_HDB.DAT
– HDB_SERVER/PERSISTENCE/ROOTKEY
– HDB_SERVER/DPAPI
• The persistence encryption feature does not encrypt the
following data:
– Database redo log files
– Database backups
– Database traces
78erpscan.com ERPScan — invest in security to secure investments
79. Prevention
• Change the encryption key after installation
• Restrict access to the key file
• Restrict access to the DAT file
• Security guide for HANA (p. 71)
http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
• Secure storage in the file system:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/a0/82dd0ab
bde4696b98a8be133b27f3b/content.htm
erpscan.com 79ERPScan — invest in security to secure investments
80. Etc..
• ICF Password Repository
– ICFSECPASSWD
• FI module passwords
– FIEB_PASSWORD
• Oracle Fail Safe
– Stores passwords inside the ENVIRONMENT variable (Note 1764043 p. 4)
• SAP BusinessObjects LCMuser – hardcoded SVN user
– SAP BusinessObjects Enterprise
XI.0LCM_repositorysvn_repositoryconf
• SAP BusinessObjects axis2 login:password
– axis2.xml
Just try to grep DB using the word “password”
80erpscan.com ERPScan — invest in security to secure investments
81. Conclusion
It is possible to protect yourself from these kinds of issues,
and we are working close with SAP to keep customers secure
SAP guides
It’s all in your hands
Regular security assessments
ABAP code review
Monitoring technical security
Segregation of duties
Security events monitoring