| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 18 Oct 2009 00:39:21 -0500
From: Derek Lewis <graphic7@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: McKesson Horizon Clinical Infrastructure (HCI)
version 7.6/7.8/10.0/10.1 hardcoded passwords
Subject: McKesson Horizon Clinical Infrastructure (HCI) version
7.6/7.8/10.0/10.1 hardcoded passwords
McKesson Horizon Clinical Infrastructure, also known as McKesson HCI,
utilizes hardcoded passwords
for Oracle database access. HCI serves as the patient record datastore for
the majority of McKesson applications. There are two components to an HCI
implementation: the Infrastructure (or Master) server
and the database back-end. The HCI Infrastructure Server has an Oracle
client installed that initializes
OCI/sqlplus connections to the Oracle database back-end. A file on each HCI
Infrastructure server
contains the database account usernames and their respective passwords,
/usr/local/bin/password. Content from /usr/local/bin/password is shown:
# cat /usr/local/bin/password
AMBU:hacschema
QUEUE_USER:qmanager
SYS:alLp0ver2
SYSTEM:urA7mvP
CHANGEMGR:datacontrol
CCDEV:ccdev
CCDBA:ccnulls *HAS ORACLE SYSDBA PRIVS*
CCDATA:ccdata
CCFORMS:ccforms
CCINTERFACE:ccinterface
MCKHEO:mckheo
CCREL:ccrel
CCQUERY:ccquery
CDXWEB:winplu5
DRUG1:fdb3schema
DRUG2:fdb3schema
enc_ent:encent
ENT:entpazz
ENT_CONFIG:ent_configpazz
ADF:adfpazz
INF:infpazz
INF_CONFIG:inf_configpazz
SDM:sdmpazz
STRMADM:pazzw0rd
ENT_AUD:pazzw0rd
ENT_ARCH:pazzw0rd
POC_ARCH:pazzw0rd
POC_AQ:qmanager
INF_AQ:qmanager
DATAMGR:datamgr
CCUSER:bueno
ALERTS:monitorhca
HCALERTS:alertsuser
AM:ampazz
AM_AUD:pazzw0rd
AUD:audpazz
TMF:tmfpazz
MN:mnpazz
EH:ehpazz
NG:ngpazz
DM:dmpazz
DMTOOL:dmtoolpazz
STG_DMT:stg_dmtpazz
WRL:wrlpazz
NOTES:notespazz
REPORTS:reportspazz
ICONS:iconspazz
BS:bspazz
QZ:qzpazz
RM:rmpazz
RM_AUD:pazzw0rd
COMMGR:commgrpazz
OPSERVICE:opservicepazz
SEC_CONFIG:sec_configpazz
CTXSYS:ctxsyspazz
OLOGY:ologypazz
OLOGY_CONFIG:ology_configpazz
DOC:docpazz
DOC_CONFIG:doc_configpazz
PORTAL:portal
PORTAL_INSTALL:portal_install
EBIDBADMIN:ebidbadmin
DESIGN_OWNER:owb
OWB_RUNTIME_REPOSITORY:owb
RUNTIME_A_USER:owb
Despite having a "central" password file that contains the credential
information, much of the credentials
are hardcoded throughout binaries and scripts that are shipped as part of
the HCI Infrastructure server.
# cd /u/live
# find . -type f -print | xargs grep ccnull | wc -l
85
Here is some context of how the credentials are used throughout the HCI
code:
# find . -type f -print | xargs grep ccnull
./RUN_dmArchive:remote_db=`sqlplus -s ccdba/ccnulls$DB_SPEC_IF_REMOTE << EOF
./all_ord:LOGIN=ccdba/ccnulls
./bin/BatchDischarge:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
./bin/CheckDischargeRpts:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
./bin/Make_iv_template:sqlldr ccdba/ccnulls iv_bottle >> $LOG
./bin/Make_iv_template:ORD_SEQ=`sqlplus -S ccdba/ccnulls$DB_SPEC_IF_REMOTE
<<- ENDSQL
McKesson supports HCI on the AIX, HP-UX, and Linux. The nature of hardcoded
passwords implies
that for every customer that has purchased HCI, the credentials for all of
these role accounts are the same across the installations.
According to the following press release,
http://www.oracle.com/corporate/press/2008_mar/em-mckesson.html, McKesson
software is installed in 70% of hospitals within the US. HCI serves as the
core infrastructure
component of other McKesson applications such as Horizon Lab, Horizon
Patient Folder, Horizon CareLink,
Horizon Expert Documentation, etc.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists