| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Oct 2009 18:53:26 -0500
From: Rohit Patnaik <quanticle@...il.com>
To: Shawn Merdinger <shawnmer@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: McKesson Horizon Clinical Infrastructure
(HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords
This really increases my faith in the continuing push towards electronic
medical records. /sarcasm
--Rohit Patnaik
On Mon, Oct 19, 2009 at 10:33 AM, Shawn Merdinger <shawnmer@...il.com>wrote:
> Great find!
>
> And should we _really be surprised_ at the following bounce?
>
> <snip>
>
> Delivery to the following recipient failed permanently:
>
> security@...esson.com
>
> Technical details of permanent failure:
> Google tried to deliver your message, but it was rejected by the
> recipient domain. We recommend contacting the other email provider for
> further information about the cause of this error. The error that the
> other server returned was: 550 550 Mailbox unavailable or access
> denied - <security@...esson.com> (state 17).
>
> </snip>
>
> Cheers,
> --scm
>
>
> On Sun, Oct 18, 2009 at 1:39 AM, Derek Lewis <graphic7@...il.com> wrote:
> > Subject: McKesson Horizon Clinical Infrastructure (HCI) version
> > 7.6/7.8/10.0/10.1 hardcoded passwords
> >
> > McKesson Horizon Clinical Infrastructure, also known as McKesson HCI,
> > utilizes hardcoded passwords
> > for Oracle database access. HCI serves as the patient record datastore
> for
> > the majority of McKesson applications. There are two components to an HCI
> > implementation: the Infrastructure (or Master) server
> > and the database back-end. The HCI Infrastructure Server has an Oracle
> > client installed that initializes
> > OCI/sqlplus connections to the Oracle database back-end. A file on each
> HCI
> > Infrastructure server
> > contains the database account usernames and their respective passwords,
> > /usr/local/bin/password. Content from /usr/local/bin/password is shown:
> >
> > # cat /usr/local/bin/password
> > AMBU:hacschema
> > QUEUE_USER:qmanager
> > SYS:alLp0ver2
> > SYSTEM:urA7mvP
> > CHANGEMGR:datacontrol
> > CCDEV:ccdev
> > CCDBA:ccnulls *HAS ORACLE SYSDBA PRIVS*
> > CCDATA:ccdata
> > CCFORMS:ccforms
> > CCINTERFACE:ccinterface
> > MCKHEO:mckheo
> > CCREL:ccrel
> > CCQUERY:ccquery
> > CDXWEB:winplu5
> > DRUG1:fdb3schema
> > DRUG2:fdb3schema
> > enc_ent:encent
> > ENT:entpazz
> > ENT_CONFIG:ent_configpazz
> > ADF:adfpazz
> > INF:infpazz
> > INF_CONFIG:inf_configpazz
> > SDM:sdmpazz
> > STRMADM:pazzw0rd
> > ENT_AUD:pazzw0rd
> > ENT_ARCH:pazzw0rd
> > POC_ARCH:pazzw0rd
> > POC_AQ:qmanager
> > INF_AQ:qmanager
> > DATAMGR:datamgr
> > CCUSER:bueno
> > ALERTS:monitorhca
> > HCALERTS:alertsuser
> > AM:ampazz
> > AM_AUD:pazzw0rd
> > AUD:audpazz
> > TMF:tmfpazz
> > MN:mnpazz
> > EH:ehpazz
> > NG:ngpazz
> > DM:dmpazz
> > DMTOOL:dmtoolpazz
> > STG_DMT:stg_dmtpazz
> > WRL:wrlpazz
> > NOTES:notespazz
> > REPORTS:reportspazz
> > ICONS:iconspazz
> > BS:bspazz
> > QZ:qzpazz
> > RM:rmpazz
> > RM_AUD:pazzw0rd
> > COMMGR:commgrpazz
> > OPSERVICE:opservicepazz
> > SEC_CONFIG:sec_configpazz
> > CTXSYS:ctxsyspazz
> > OLOGY:ologypazz
> > OLOGY_CONFIG:ology_configpazz
> > DOC:docpazz
> > DOC_CONFIG:doc_configpazz
> > PORTAL:portal
> > PORTAL_INSTALL:portal_install
> > EBIDBADMIN:ebidbadmin
> > DESIGN_OWNER:owb
> > OWB_RUNTIME_REPOSITORY:owb
> > RUNTIME_A_USER:owb
> >
> > Despite having a "central" password file that contains the credential
> > information, much of the credentials
> > are hardcoded throughout binaries and scripts that are shipped as part of
> > the HCI Infrastructure server.
> >
> > # cd /u/live
> > # find . -type f -print | xargs grep ccnull | wc -l
> > 85
> >
> > Here is some context of how the credentials are used throughout the HCI
> > code:
> >
> > # find . -type f -print | xargs grep ccnull
> > ./RUN_dmArchive:remote_db=`sqlplus -s ccdba/ccnulls$DB_SPEC_IF_REMOTE <<
> EOF
> > ./all_ord:LOGIN=ccdba/ccnulls
> > ./bin/BatchDischarge:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
> > ./bin/CheckDischargeRpts:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
> > ./bin/Make_iv_template:sqlldr ccdba/ccnulls iv_bottle >> $LOG
> > ./bin/Make_iv_template:ORD_SEQ=`sqlplus -S
> ccdba/ccnulls$DB_SPEC_IF_REMOTE
> > <<- ENDSQL
> >
> > McKesson supports HCI on the AIX, HP-UX, and Linux. The nature of
> hardcoded
> > passwords implies
> > that for every customer that has purchased HCI, the credentials for all
> of
> > these role accounts are the same across the installations.
> >
> > According to the following press release,
> > http://www.oracle.com/corporate/press/2008_mar/em-mckesson.html,
> McKesson
> > software is installed in 70% of hospitals within the US. HCI serves as
> the
> > core infrastructure
> > component of other McKesson applications such as Horizon Lab, Horizon
> > Patient Folder, Horizon CareLink,
> > Horizon Expert Documentation, etc.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists