Full Disclosure mailing list archives
Re: McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords
From: Rohit Patnaik <quanticle () gmail com>
Date: Mon, 19 Oct 2009 18:53:26 -0500
This really increases my faith in the continuing push towards electronic medical records. /sarcasm --Rohit Patnaik On Mon, Oct 19, 2009 at 10:33 AM, Shawn Merdinger <shawnmer () gmail com>wrote:
Great find! And should we _really be surprised_ at the following bounce? <snip> Delivery to the following recipient failed permanently: security () mckesson com Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 Mailbox unavailable or access denied - <security () mckesson com> (state 17). </snip> Cheers, --scm On Sun, Oct 18, 2009 at 1:39 AM, <graphic7 () gmail com> wrote:Subject: McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords McKesson Horizon Clinical Infrastructure, also known as McKesson HCI, utilizes hardcoded passwords for Oracle database access. HCI serves as the patient record datastoreforthe majority of McKesson applications. There are two components to an HCI implementation: the Infrastructure (or Master) server and the database back-end. The HCI Infrastructure Server has an Oracle client installed that initializes OCI/sqlplus connections to the Oracle database back-end. A file on eachHCIInfrastructure server contains the database account usernames and their respective passwords, /usr/local/bin/password. Content from /usr/local/bin/password is shown: # cat /usr/local/bin/password AMBU:hacschema QUEUE_USER:qmanager SYS:alLp0ver2 SYSTEM:urA7mvP CHANGEMGR:datacontrol CCDEV:ccdev CCDBA:ccnulls *HAS ORACLE SYSDBA PRIVS* CCDATA:ccdata CCFORMS:ccforms CCINTERFACE:ccinterface MCKHEO:mckheo CCREL:ccrel CCQUERY:ccquery CDXWEB:winplu5 DRUG1:fdb3schema DRUG2:fdb3schema enc_ent:encent ENT:entpazz ENT_CONFIG:ent_configpazz ADF:adfpazz INF:infpazz INF_CONFIG:inf_configpazz SDM:sdmpazz STRMADM:pazzw0rd ENT_AUD:pazzw0rd ENT_ARCH:pazzw0rd POC_ARCH:pazzw0rd POC_AQ:qmanager INF_AQ:qmanager DATAMGR:datamgr CCUSER:bueno ALERTS:monitorhca HCALERTS:alertsuser AM:ampazz AM_AUD:pazzw0rd AUD:audpazz TMF:tmfpazz MN:mnpazz EH:ehpazz NG:ngpazz DM:dmpazz DMTOOL:dmtoolpazz STG_DMT:stg_dmtpazz WRL:wrlpazz NOTES:notespazz REPORTS:reportspazz ICONS:iconspazz BS:bspazz QZ:qzpazz RM:rmpazz RM_AUD:pazzw0rd COMMGR:commgrpazz OPSERVICE:opservicepazz SEC_CONFIG:sec_configpazz CTXSYS:ctxsyspazz OLOGY:ologypazz OLOGY_CONFIG:ology_configpazz DOC:docpazz DOC_CONFIG:doc_configpazz PORTAL:portal PORTAL_INSTALL:portal_install EBIDBADMIN:ebidbadmin DESIGN_OWNER:owb OWB_RUNTIME_REPOSITORY:owb RUNTIME_A_USER:owb Despite having a "central" password file that contains the credential information, much of the credentials are hardcoded throughout binaries and scripts that are shipped as part of the HCI Infrastructure server. # cd /u/live # find . -type f -print | xargs grep ccnull | wc -l 85 Here is some context of how the credentials are used throughout the HCI code: # find . -type f -print | xargs grep ccnull ./RUN_dmArchive:remote_db=`sqlplus -s ccdba/ccnulls$DB_SPEC_IF_REMOTE <<EOF./all_ord:LOGIN=ccdba/ccnulls ./bin/BatchDischarge:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE" ./bin/CheckDischargeRpts:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE" ./bin/Make_iv_template:sqlldr ccdba/ccnulls iv_bottle >> $LOG ./bin/Make_iv_template:ORD_SEQ=`sqlplus -Sccdba/ccnulls$DB_SPEC_IF_REMOTE<<- ENDSQL McKesson supports HCI on the AIX, HP-UX, and Linux. The nature ofhardcodedpasswords implies that for every customer that has purchased HCI, the credentials for allofthese role accounts are the same across the installations. According to the following press release, http://www.oracle.com/corporate/press/2008_mar/em-mckesson.html,McKessonsoftware is installed in 70% of hospitals within the US. HCI serves asthecore infrastructure component of other McKesson applications such as Horizon Lab, Horizon Patient Folder, Horizon CareLink, Horizon Expert Documentation, etc. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords graphic7 (Oct 19)
- Re: McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords Shawn Merdinger (Oct 19)
- Re: McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords Rohit Patnaik (Oct 19)
- Re: McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords Michael Krymson (Oct 21)
- Re: McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords Shawn Merdinger (Oct 21)
- Re: McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords Shawn Merdinger (Oct 19)