SAP User master holds the information related to the User, Personal information, Assigned roles and authorizations, etc. In the world of SAP, any user with Authorization Profile "SAP_ALL" will have the highest privileges in the System.
In the previous post, we have noticed that the SAP systems store passwords in database table USR02 and can generate downwards-compatible hashes in order to communicate properly with the interconnected SAP systems (older versions) where newer hashing mechanisms are not supported.
During the logon procedure, a hash value of a password is generated by the system outside the SAP kernel and then compared with the stored password hashes in the USR02 table. This process is controlled by SAP parameter "login/password_downwards_compatibility".
As per the requirement SAP administrators can set different values-(0-5) for the parameter "login/password_downwards_compatibility". In the newer SAP Releases this parameter is delivered with a default value set to '1'.
Parameters ------------------------------------------------------ login/password_downwards_compatibility Values (0-5) as below ------------------------------------------------------ 0: Stores passwords in a format that systems with older kernels cannot interpret. The system only generates new (non-backward-compatible) password hash values. 1: System generates backward compatible password hash values internally, but does not evaluate these for password-based logons (to its own system). 2: System generates backward compatible password hash values internally and checks them when logon using non-backward compatible password (newer hashes) fails. In this way, the system checks whether the logon would have been accepted with the backward compatible password (truncated after eight characters, and converted to uppercase). 3: As with 2, but the logon is regarded as successful. This setting is to allow the avoidance of backward incompatibility problems. 4: As with 3, but the system does not create an entry in the system log. 5: Full backward compatibility: the system only creates backward compatible password hash values.
SAP system supports different password hashing algorithms called Code Versions, but due to downwards-compatibility requirement newer SAP Releases are still having support for older password hash algorithms, Some SAP releases use code versions 'G'. for more info about SAP Code Versions check here.
One thing to be clear, SAP Code version 'G' is not an algorithm. But its a combination of both Code Version 'B' and 'F'. Which means when we use code version 'G' SAP generates two types of hashes and stores them in database:
- Code Version 'B' password is stored as MD5 hash (up to 8-characters, Upper case) in "BCODE" field of table USR02
- Code Version 'F' password is stored as SHA1 hash (up to 40-characters, Case insensitive) in "PASSCODE" field of table USR02
How can a attacker could gain the highest privileges (SAP_ALL)...?
- Attacker generates his own MD5 password hash for userid BASIS.
- Replaces the BASIS user's password hash with a attacker's hash by updating the "BCODE" field in SAP table USR02.
- Changes the SAP Profile parameter "login/password_downwards_compatibility" value to '4' (no SAP system log entry).
- Logs into the SAP system with the user BASIS and his own password, without knowing the legitimate user's password.
- Now the legitimate user can log into the system with his userID and password, whereas the attacker can also log into the system using the same userID (i.e. BASIS) but with different password.
- Attacker can now login to SAP system without knowing the actual password, Once getting access into the system he could assign the required permissions or can perform some database activities.
- Restrict access to all critical tables.
- Changes to the value of profile parameters should be monitored.
- Set the parameter "login/password_downwards_compatibility" value to '0', if downwards-compatibility not required.
- 1023437 - ABAP syst: Downwardly incompatible passwords (since NW2004s)
- 1458262 - ABAP: recommended settings for password hash algorithms
No comments:
Post a Comment