| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1046793286.1028.50.camel@bobby> From: ngregoire at exaprobe.com (Nicolas Gregoire) Subject: SAP R/3, account locking and RFC SDK Hi, I wrote a networked password checker for SAP R/3, mainly based on the sapinfo program provided by SAP and using the RFC (Remote Function Call) API. In a default install of SAP R/3, three bad login/password attempts in the SAPGUI will kill the GUI. After 4 SAPGUI deaths (4*3 = 12 attempts), the tested account is locked (UFLAG=128 in SAPR3.USR02). My problem is that, with the RFC API, I can check as much login/password combo as I want, without locking the target account. Once the password is found, I just have to use SAPGUI to log in the SAP system. So, IMO and as far as I tested it, account locking isn't working via the API provided by the SDK RFC. Could somebody confirm this behaviour ? This was tested on Linux for the client side and on Win2K for the server side. The release of SAP R/3 is 46C/D. Regards, -- Nicolas Gregoire ----- Consultant en S?curit? des Syst?mes d'Information ngregoire@...probe.com ------[ ExaProbe ]------ http://www.exaprobe.com/ PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030304/766f084b/attachment.bin
Powered by blists - more mailing lists