Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords

From: Michael Krymson <krymson () gmail com>
Date: Wed, 21 Oct 2009 08:36:21 -0500
Oh shit, accounting () mckesson com bounced, too! That must mean they don't
even have any accounting!

Your discovery made a healthcare IT 'news' site. Maybe if you ask nicely,
this 'mover and shaker' with the too-busy blog will grace us with his
technical debunking of this issue!

http://histalk2.com/ "From *Secret Squirrel*: “Re: McKesson. Horizon
Clinical Infrastructure (HCI) appears to use hard-coded database passwords.
A security organization has run the entire password list online.” I thought
everyone knew that, but maybe not (I reconsidered adding fuel to the
technical fire, so I’m not including the link). The poster was amused that
e-mailing security () mckesson com bounced back as undeliverable. I would
imagine that many vendors have services that log on as “users” that may or
may not use encrypted passwords, some of which give full read/write/update
database privileges. I would also imagine that vendors ship default
passwords (some intended as their own “back door” in case clients screw up)
that unlock every system they’ve ever sold. The clients I’ve known never
seem to worry much about that."

On Mon, Oct 19, 2009 at 10:33 AM, Shawn Merdinger <shawnmer () gmail com>wrote:


Great find!

And should we _really be surprised_ at the following bounce?

<snip>

Delivery to the following recipient failed permanently:

   security () mckesson com

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the
recipient domain. We recommend contacting the other email provider for
further information about the cause of this error. The error that the
other server returned was: 550 550 Mailbox unavailable or access
denied - <security () mckesson com> (state 17).

</snip>

Cheers,
--scm


On Sun, Oct 18, 2009 at 1:39 AM, <graphic7 () gmail com> wrote:

Subject: McKesson Horizon Clinical Infrastructure (HCI) version
7.6/7.8/10.0/10.1 hardcoded passwords

McKesson Horizon Clinical Infrastructure, also known as McKesson HCI,
utilizes hardcoded passwords
for Oracle database access. HCI serves as the patient record datastore

for

the majority of McKesson applications. There are two components to an HCI
implementation: the Infrastructure (or Master) server
and the database back-end. The HCI Infrastructure Server has an Oracle
client installed that initializes
OCI/sqlplus connections to the Oracle database back-end. A file on each

HCI

Infrastructure server
contains the database account usernames and their respective passwords,
/usr/local/bin/password. Content from /usr/local/bin/password is shown:

# cat /usr/local/bin/password
AMBU:hacschema
QUEUE_USER:qmanager
SYS:alLp0ver2
SYSTEM:urA7mvP
CHANGEMGR:datacontrol
CCDEV:ccdev
CCDBA:ccnulls                *HAS ORACLE SYSDBA PRIVS*
CCDATA:ccdata
CCFORMS:ccforms
CCINTERFACE:ccinterface
MCKHEO:mckheo
CCREL:ccrel
CCQUERY:ccquery
CDXWEB:winplu5
DRUG1:fdb3schema
DRUG2:fdb3schema
enc_ent:encent
ENT:entpazz
ENT_CONFIG:ent_configpazz
ADF:adfpazz
INF:infpazz
INF_CONFIG:inf_configpazz
SDM:sdmpazz
STRMADM:pazzw0rd
ENT_AUD:pazzw0rd
ENT_ARCH:pazzw0rd
POC_ARCH:pazzw0rd
POC_AQ:qmanager
INF_AQ:qmanager
DATAMGR:datamgr
CCUSER:bueno
ALERTS:monitorhca
HCALERTS:alertsuser
AM:ampazz
AM_AUD:pazzw0rd
AUD:audpazz
TMF:tmfpazz
MN:mnpazz
EH:ehpazz
NG:ngpazz
DM:dmpazz
DMTOOL:dmtoolpazz
STG_DMT:stg_dmtpazz
WRL:wrlpazz
NOTES:notespazz
REPORTS:reportspazz
ICONS:iconspazz
BS:bspazz
QZ:qzpazz
RM:rmpazz
RM_AUD:pazzw0rd
COMMGR:commgrpazz
OPSERVICE:opservicepazz
SEC_CONFIG:sec_configpazz
CTXSYS:ctxsyspazz
OLOGY:ologypazz
OLOGY_CONFIG:ology_configpazz
DOC:docpazz
DOC_CONFIG:doc_configpazz
PORTAL:portal
PORTAL_INSTALL:portal_install
EBIDBADMIN:ebidbadmin
DESIGN_OWNER:owb
OWB_RUNTIME_REPOSITORY:owb
RUNTIME_A_USER:owb

Despite having a "central" password file that contains the credential
information, much of the credentials
are hardcoded throughout binaries and scripts that are shipped as part of
the HCI Infrastructure server.

# cd /u/live
# find . -type f -print | xargs grep ccnull | wc -l
85

Here is some context of how the credentials are used throughout the HCI
code:

# find . -type f -print | xargs grep ccnull
./RUN_dmArchive:remote_db=`sqlplus -s ccdba/ccnulls$DB_SPEC_IF_REMOTE <<

EOF

./all_ord:LOGIN=ccdba/ccnulls
./bin/BatchDischarge:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
./bin/CheckDischargeRpts:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
./bin/Make_iv_template:sqlldr ccdba/ccnulls iv_bottle >> $LOG
./bin/Make_iv_template:ORD_SEQ=`sqlplus -S

ccdba/ccnulls$DB_SPEC_IF_REMOTE

<<- ENDSQL

McKesson supports HCI on the AIX, HP-UX, and Linux. The nature of

hardcoded

passwords implies
that for every customer that has purchased HCI, the credentials for all

of

these role accounts are the same across the installations.

According to the following press release,
http://www.oracle.com/corporate/press/2008_mar/em-mckesson.html,

McKesson

software is installed in 70% of hospitals within the US. HCI serves as

the

core infrastructure
component of other McKesson applications such as Horizon Lab, Horizon
Patient Folder, Horizon CareLink,
Horizon Expert Documentation, etc.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: