Home page logo

fulldisclosure logo Full Disclosure mailing list archives

SAP R/3, account locking and RFC SDK
From: Nicolas Gregoire <ngregoire () exaprobe com>
Date: 04 Mar 2003 16:54:46 +0100


I wrote a networked password checker for SAP R/3, mainly based on the
sapinfo program provided by SAP and using the RFC (Remote Function Call)

In a default install of SAP R/3, three bad login/password attempts in
the SAPGUI will kill the GUI. After 4 SAPGUI deaths (4*3 = 12 attempts),
the tested account is locked (UFLAG=128 in SAPR3.USR02).

My problem is that, with the RFC API, I can check as much login/password
combo as I want, without locking the target account. Once the password
is found, I just have to use SAPGUI to log in the SAP system.

So, IMO and as far as I tested it, account locking isn't working via the
API provided by the SDK RFC. Could somebody confirm this behaviour ?

This was tested on Linux for the client side and on Win2K for the server
side. The release of SAP R/3 is 46C/D.

Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoire () exaprobe com ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F  FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F

Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
  • SAP R/3, account locking and RFC SDK Nicolas Gregoire (Mar 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]