[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords



Great find!

And should we _really be surprised_ at the following bounce?

<snip>

Delivery to the following recipient failed permanently:

    security@xxxxxxxxxxxx

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the
recipient domain. We recommend contacting the other email provider for
further information about the cause of this error. The error that the
other server returned was: 550 550 Mailbox unavailable or access
denied - <security@xxxxxxxxxxxx> (state 17).

</snip>

Cheers,
--scm


On Sun, Oct 18, 2009 at 1:39 AM, Derek Lewis <graphic7@xxxxxxxxx> wrote:
> Subject: McKesson Horizon Clinical Infrastructure (HCI) version
> 7.6/7.8/10.0/10.1 hardcoded passwords
>
> McKesson Horizon Clinical Infrastructure, also known as McKesson HCI,
> utilizes hardcoded passwords
> for Oracle database access. HCI serves as the patient record datastore for
> the majority of McKesson applications. There are two components to an HCI
> implementation: the Infrastructure (or Master) server
> and the database back-end. The HCI Infrastructure Server has an Oracle
> client installed that initializes
> OCI/sqlplus connections to the Oracle database back-end. A file on each HCI
> Infrastructure server
> contains the database account usernames and their respective passwords,
> /usr/local/bin/password. Content from /usr/local/bin/password is shown:
>
> # cat /usr/local/bin/password
> AMBU:hacschema
> QUEUE_USER:qmanager
> SYS:alLp0ver2
> SYSTEM:urA7mvP
> CHANGEMGR:datacontrol
> CCDEV:ccdev
> CCDBA:ccnulls                *HAS ORACLE SYSDBA PRIVS*
> CCDATA:ccdata
> CCFORMS:ccforms
> CCINTERFACE:ccinterface
> MCKHEO:mckheo
> CCREL:ccrel
> CCQUERY:ccquery
> CDXWEB:winplu5
> DRUG1:fdb3schema
> DRUG2:fdb3schema
> enc_ent:encent
> ENT:entpazz
> ENT_CONFIG:ent_configpazz
> ADF:adfpazz
> INF:infpazz
> INF_CONFIG:inf_configpazz
> SDM:sdmpazz
> STRMADM:pazzw0rd
> ENT_AUD:pazzw0rd
> ENT_ARCH:pazzw0rd
> POC_ARCH:pazzw0rd
> POC_AQ:qmanager
> INF_AQ:qmanager
> DATAMGR:datamgr
> CCUSER:bueno
> ALERTS:monitorhca
> HCALERTS:alertsuser
> AM:ampazz
> AM_AUD:pazzw0rd
> AUD:audpazz
> TMF:tmfpazz
> MN:mnpazz
> EH:ehpazz
> NG:ngpazz
> DM:dmpazz
> DMTOOL:dmtoolpazz
> STG_DMT:stg_dmtpazz
> WRL:wrlpazz
> NOTES:notespazz
> REPORTS:reportspazz
> ICONS:iconspazz
> BS:bspazz
> QZ:qzpazz
> RM:rmpazz
> RM_AUD:pazzw0rd
> COMMGR:commgrpazz
> OPSERVICE:opservicepazz
> SEC_CONFIG:sec_configpazz
> CTXSYS:ctxsyspazz
> OLOGY:ologypazz
> OLOGY_CONFIG:ology_configpazz
> DOC:docpazz
> DOC_CONFIG:doc_configpazz
> PORTAL:portal
> PORTAL_INSTALL:portal_install
> EBIDBADMIN:ebidbadmin
> DESIGN_OWNER:owb
> OWB_RUNTIME_REPOSITORY:owb
> RUNTIME_A_USER:owb
>
> Despite having a "central" password file that contains the credential
> information, much of the credentials
> are hardcoded throughout binaries and scripts that are shipped as part of
> the HCI Infrastructure server.
>
> # cd /u/live
> # find . -type f -print | xargs grep ccnull | wc -l
> 85
>
> Here is some context of how the credentials are used throughout the HCI
> code:
>
> # find . -type f -print | xargs grep ccnull
> ./RUN_dmArchive:remote_db=`sqlplus -s ccdba/ccnulls$DB_SPEC_IF_REMOTE << EOF
> ./all_ord:LOGIN=ccdba/ccnulls
> ./bin/BatchDischarge:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
> ./bin/CheckDischargeRpts:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
> ./bin/Make_iv_template:sqlldr ccdba/ccnulls iv_bottle >> $LOG
> ./bin/Make_iv_template:ORD_SEQ=`sqlplus -S ccdba/ccnulls$DB_SPEC_IF_REMOTE
> <<- ENDSQL
>
> McKesson supports HCI on the AIX, HP-UX, and Linux. The nature of hardcoded
> passwords implies
> that for every customer that has purchased HCI, the credentials for all of
> these role accounts are the same across the installations.
>
> According to the following press release,
> http://www.oracle.com/corporate/press/2008_mar/em-mckesson.html, McKesson
> software is installed in 70% of hospitals within the US. HCI serves as the
> core infrastructure
> component of other McKesson applications such as Horizon Lab, Horizon
> Patient Folder, Horizon CareLink,
> Horizon Expert Documentation, etc.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/