[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <fc76c6280910210636t120f69e3o69022cd76c1c88d8@mail.gmail.com>
Date: Wed, 21 Oct 2009 08:36:21 -0500
From: Michael Krymson <krymson@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: McKesson Horizon Clinical Infrastructure
(HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords
Oh shit, accounting@...esson.com bounced, too! That must mean they don't
even have any accounting!
Your discovery made a healthcare IT 'news' site. Maybe if you ask nicely,
this 'mover and shaker' with the too-busy blog will grace us with his
technical debunking of this issue!
http://histalk2.com/ "From *Secret Squirrel*: “Re: McKesson. Horizon
Clinical Infrastructure (HCI) appears to use hard-coded database passwords.
A security organization has run the entire password list online.” I thought
everyone knew that, but maybe not (I reconsidered adding fuel to the
technical fire, so I’m not including the link). The poster was amused that
e-mailing security@...esson.com bounced back as undeliverable. I would
imagine that many vendors have services that log on as “users” that may or
may not use encrypted passwords, some of which give full read/write/update
database privileges. I would also imagine that vendors ship default
passwords (some intended as their own “back door” in case clients screw up)
that unlock every system they’ve ever sold. The clients I’ve known never
seem to worry much about that."
On Mon, Oct 19, 2009 at 10:33 AM, Shawn Merdinger <shawnmer@...il.com>wrote:
> Great find!
>
> And should we _really be surprised_ at the following bounce?
>
> <snip>
>
> Delivery to the following recipient failed permanently:
>
> security@...esson.com
>
> Technical details of permanent failure:
> Google tried to deliver your message, but it was rejected by the
> recipient domain. We recommend contacting the other email provider for
> further information about the cause of this error. The error that the
> other server returned was: 550 550 Mailbox unavailable or access
> denied - <security@...esson.com> (state 17).
>
> </snip>
>
> Cheers,
> --scm
>
>
> On Sun, Oct 18, 2009 at 1:39 AM, Derek Lewis <graphic7@...il.com> wrote:
> > Subject: McKesson Horizon Clinical Infrastructure (HCI) version
> > 7.6/7.8/10.0/10.1 hardcoded passwords
> >
> > McKesson Horizon Clinical Infrastructure, also known as McKesson HCI,
> > utilizes hardcoded passwords
> > for Oracle database access. HCI serves as the patient record datastore
> for
> > the majority of McKesson applications. There are two components to an HCI
> > implementation: the Infrastructure (or Master) server
> > and the database back-end. The HCI Infrastructure Server has an Oracle
> > client installed that initializes
> > OCI/sqlplus connections to the Oracle database back-end. A file on each
> HCI
> > Infrastructure server
> > contains the database account usernames and their respective passwords,
> > /usr/local/bin/password. Content from /usr/local/bin/password is shown:
> >
> > # cat /usr/local/bin/password
> > AMBU:hacschema
> > QUEUE_USER:qmanager
> > SYS:alLp0ver2
> > SYSTEM:urA7mvP
> > CHANGEMGR:datacontrol
> > CCDEV:ccdev
> > CCDBA:ccnulls *HAS ORACLE SYSDBA PRIVS*
> > CCDATA:ccdata
> > CCFORMS:ccforms
> > CCINTERFACE:ccinterface
> > MCKHEO:mckheo
> > CCREL:ccrel
> > CCQUERY:ccquery
> > CDXWEB:winplu5
> > DRUG1:fdb3schema
> > DRUG2:fdb3schema
> > enc_ent:encent
> > ENT:entpazz
> > ENT_CONFIG:ent_configpazz
> > ADF:adfpazz
> > INF:infpazz
> > INF_CONFIG:inf_configpazz
> > SDM:sdmpazz
> > STRMADM:pazzw0rd
> > ENT_AUD:pazzw0rd
> > ENT_ARCH:pazzw0rd
> > POC_ARCH:pazzw0rd
> > POC_AQ:qmanager
> > INF_AQ:qmanager
> > DATAMGR:datamgr
> > CCUSER:bueno
> > ALERTS:monitorhca
> > HCALERTS:alertsuser
> > AM:ampazz
> > AM_AUD:pazzw0rd
> > AUD:audpazz
> > TMF:tmfpazz
> > MN:mnpazz
> > EH:ehpazz
> > NG:ngpazz
> > DM:dmpazz
> > DMTOOL:dmtoolpazz
> > STG_DMT:stg_dmtpazz
> > WRL:wrlpazz
> > NOTES:notespazz
> > REPORTS:reportspazz
> > ICONS:iconspazz
> > BS:bspazz
> > QZ:qzpazz
> > RM:rmpazz
> > RM_AUD:pazzw0rd
> > COMMGR:commgrpazz
> > OPSERVICE:opservicepazz
> > SEC_CONFIG:sec_configpazz
> > CTXSYS:ctxsyspazz
> > OLOGY:ologypazz
> > OLOGY_CONFIG:ology_configpazz
> > DOC:docpazz
> > DOC_CONFIG:doc_configpazz
> > PORTAL:portal
> > PORTAL_INSTALL:portal_install
> > EBIDBADMIN:ebidbadmin
> > DESIGN_OWNER:owb
> > OWB_RUNTIME_REPOSITORY:owb
> > RUNTIME_A_USER:owb
> >
> > Despite having a "central" password file that contains the credential
> > information, much of the credentials
> > are hardcoded throughout binaries and scripts that are shipped as part of
> > the HCI Infrastructure server.
> >
> > # cd /u/live
> > # find . -type f -print | xargs grep ccnull | wc -l
> > 85
> >
> > Here is some context of how the credentials are used throughout the HCI
> > code:
> >
> > # find . -type f -print | xargs grep ccnull
> > ./RUN_dmArchive:remote_db=`sqlplus -s ccdba/ccnulls$DB_SPEC_IF_REMOTE <<
> EOF
> > ./all_ord:LOGIN=ccdba/ccnulls
> > ./bin/BatchDischarge:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
> > ./bin/CheckDischargeRpts:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
> > ./bin/Make_iv_template:sqlldr ccdba/ccnulls iv_bottle >> $LOG
> > ./bin/Make_iv_template:ORD_SEQ=`sqlplus -S
> ccdba/ccnulls$DB_SPEC_IF_REMOTE
> > <<- ENDSQL
> >
> > McKesson supports HCI on the AIX, HP-UX, and Linux. The nature of
> hardcoded
> > passwords implies
> > that for every customer that has purchased HCI, the credentials for all
> of
> > these role accounts are the same across the installations.
> >
> > According to the following press release,
> > http://www.oracle.com/corporate/press/2008_mar/em-mckesson.html,
> McKesson
> > software is installed in 70% of hospitals within the US. HCI serves as
> the
> > core infrastructure
> > component of other McKesson applications such as Horizon Lab, Horizon
> > Patient Folder, Horizon CareLink,
> > Horizon Expert Documentation, etc.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists