lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <fb0927a80910190833u267d0a3egfad6881033c5b300@mail.gmail.com>
Date: Mon, 19 Oct 2009 11:33:11 -0400
From: Shawn Merdinger <shawnmer@...il.com>
To: Derek Lewis <graphic7@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: McKesson Horizon Clinical Infrastructure
	(HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords

Great find!

And should we _really be surprised_ at the following bounce?

<snip>

Delivery to the following recipient failed permanently:

    security@...esson.com

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the
recipient domain. We recommend contacting the other email provider for
further information about the cause of this error. The error that the
other server returned was: 550 550 Mailbox unavailable or access
denied - <security@...esson.com> (state 17).

</snip>

Cheers,
--scm


On Sun, Oct 18, 2009 at 1:39 AM, Derek Lewis <graphic7@...il.com> wrote:
> Subject: McKesson Horizon Clinical Infrastructure (HCI) version
> 7.6/7.8/10.0/10.1 hardcoded passwords
>
> McKesson Horizon Clinical Infrastructure, also known as McKesson HCI,
> utilizes hardcoded passwords
> for Oracle database access. HCI serves as the patient record datastore for
> the majority of McKesson applications. There are two components to an HCI
> implementation: the Infrastructure (or Master) server
> and the database back-end. The HCI Infrastructure Server has an Oracle
> client installed that initializes
> OCI/sqlplus connections to the Oracle database back-end. A file on each HCI
> Infrastructure server
> contains the database account usernames and their respective passwords,
> /usr/local/bin/password. Content from /usr/local/bin/password is shown:
>
> # cat /usr/local/bin/password
> AMBU:hacschema
> QUEUE_USER:qmanager
> SYS:alLp0ver2
> SYSTEM:urA7mvP
> CHANGEMGR:datacontrol
> CCDEV:ccdev
> CCDBA:ccnulls                *HAS ORACLE SYSDBA PRIVS*
> CCDATA:ccdata
> CCFORMS:ccforms
> CCINTERFACE:ccinterface
> MCKHEO:mckheo
> CCREL:ccrel
> CCQUERY:ccquery
> CDXWEB:winplu5
> DRUG1:fdb3schema
> DRUG2:fdb3schema
> enc_ent:encent
> ENT:entpazz
> ENT_CONFIG:ent_configpazz
> ADF:adfpazz
> INF:infpazz
> INF_CONFIG:inf_configpazz
> SDM:sdmpazz
> STRMADM:pazzw0rd
> ENT_AUD:pazzw0rd
> ENT_ARCH:pazzw0rd
> POC_ARCH:pazzw0rd
> POC_AQ:qmanager
> INF_AQ:qmanager
> DATAMGR:datamgr
> CCUSER:bueno
> ALERTS:monitorhca
> HCALERTS:alertsuser
> AM:ampazz
> AM_AUD:pazzw0rd
> AUD:audpazz
> TMF:tmfpazz
> MN:mnpazz
> EH:ehpazz
> NG:ngpazz
> DM:dmpazz
> DMTOOL:dmtoolpazz
> STG_DMT:stg_dmtpazz
> WRL:wrlpazz
> NOTES:notespazz
> REPORTS:reportspazz
> ICONS:iconspazz
> BS:bspazz
> QZ:qzpazz
> RM:rmpazz
> RM_AUD:pazzw0rd
> COMMGR:commgrpazz
> OPSERVICE:opservicepazz
> SEC_CONFIG:sec_configpazz
> CTXSYS:ctxsyspazz
> OLOGY:ologypazz
> OLOGY_CONFIG:ology_configpazz
> DOC:docpazz
> DOC_CONFIG:doc_configpazz
> PORTAL:portal
> PORTAL_INSTALL:portal_install
> EBIDBADMIN:ebidbadmin
> DESIGN_OWNER:owb
> OWB_RUNTIME_REPOSITORY:owb
> RUNTIME_A_USER:owb
>
> Despite having a "central" password file that contains the credential
> information, much of the credentials
> are hardcoded throughout binaries and scripts that are shipped as part of
> the HCI Infrastructure server.
>
> # cd /u/live
> # find . -type f -print | xargs grep ccnull | wc -l
> 85
>
> Here is some context of how the credentials are used throughout the HCI
> code:
>
> # find . -type f -print | xargs grep ccnull
> ./RUN_dmArchive:remote_db=`sqlplus -s ccdba/ccnulls$DB_SPEC_IF_REMOTE << EOF
> ./all_ord:LOGIN=ccdba/ccnulls
> ./bin/BatchDischarge:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
> ./bin/CheckDischargeRpts:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
> ./bin/Make_iv_template:sqlldr ccdba/ccnulls iv_bottle >> $LOG
> ./bin/Make_iv_template:ORD_SEQ=`sqlplus -S ccdba/ccnulls$DB_SPEC_IF_REMOTE
> <<- ENDSQL
>
> McKesson supports HCI on the AIX, HP-UX, and Linux. The nature of hardcoded
> passwords implies
> that for every customer that has purchased HCI, the credentials for all of
> these role accounts are the same across the installations.
>
> According to the following press release,
> http://www.oracle.com/corporate/press/2008_mar/em-mckesson.html, McKesson
> software is installed in 70% of hospitals within the US. HCI serves as the
> core infrastructure
> component of other McKesson applications such as Horizon Lab, Horizon
> Patient Folder, Horizon CareLink,
> Horizon Expert Documentation, etc.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ