|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-Disclosure] SAP R/3, account locking and RFC SDK
From: Nicolas Gregoire (ngregoire
exaprobe.com)
Date: Tue Mar 04 2003 - 09:54:46 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
I wrote a networked password checker for SAP R/3, mainly based on the
sapinfo program provided by SAP and using the RFC (Remote Function Call)
API.
In a default install of SAP R/3, three bad login/password attempts in
the SAPGUI will kill the GUI. After 4 SAPGUI deaths (4*3 = 12 attempts),
the tested account is locked (UFLAG=128 in SAPR3.USR02).
My problem is that, with the RFC API, I can check as much login/password
combo as I want, without locking the target account. Once the password
is found, I just have to use SAPGUI to log in the SAP system.
So, IMO and as far as I tested it, account locking isn't working via the
API provided by the SDK RFC. Could somebody confirm this behaviour ?
This was tested on Linux for the client side and on Win2K for the server
side. The release of SAP R/3 is 46C/D.
Regards,
--
Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoireexaprobe.com ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA+ZMxGuhlqje80vsMRAi56AKCuSkw1LDaIKHpsRoVYHlZaD7mnOQCeOd6q
nDW5YBQ7IpRfSLn4Dz7PxFw=
=CFQa
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]