Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: SAP R/3, account locking and RFC SDK

SAP R/3, account locking and RFC SDK

From: Nicolas Gregoire <ngregoire_at_exaprobe.com>
Date: 04 Mar 2003 16:54:46 +0100

Hi,

I wrote a networked password checker for SAP R/3, mainly based on the
sapinfo program provided by SAP and using the RFC (Remote Function Call)
API.

In a default install of SAP R/3, three bad login/password attempts in
the SAPGUI will kill the GUI. After 4 SAPGUI deaths (4*3 = 12 attempts),
the tested account is locked (UFLAG=128 in SAPR3.USR02).

My problem is that, with the RFC API, I can check as much login/password
combo as I want, without locking the target account. Once the password
is found, I just have to use SAPGUI to log in the SAP system.

So, IMO and as far as I tested it, account locking isn't working via the
API provided by the SDK RFC. Could somebody confirm this behaviour ?

This was tested on Linux for the client side and on Win2K for the server
side. The release of SAP R/3 is 46C/D.

Regards, 

-- 
Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoire@exaprobe.com ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F  FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Received on Mar 04 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos