Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22656
HistoryOct 19, 2009 - 12:00 a.m.

McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords

2009-10-1900:00:00
vulners.com
20
JSON

McKesson Horizon Clinical Infrastructure, also known as McKesson HCI, utilizes hardcoded passwords
for Oracle database access. HCI serves as the patient record datastore for the majority of McKesson applications. There are
two components to an HCI implementation: the Infrastructure (or Master) server
and the database back-end. The HCI Infrastructure Server has an Oracle client installed that initializes
OCI/sqlplus connections to the Oracle database back-end. A file on each HCI Infrastructure server
contains the database account usernames and their respective passwords, /usr/local/bin/password. Content from
/usr/local/bin/password is shown:

cat /usr/local/bin/password

AMBU:hacschema
QUEUE_USER:qmanager
SYS:alLp0ver2
SYSTEM:urA7mvP
CHANGEMGR:datacontrol
CCDEV:ccdev
CCDBA:ccnulls HAS ORACLE SYSDBA PRIVS
CCDATA:ccdata
CCFORMS:ccforms
CCINTERFACE:ccinterface
MCKHEO:mckheo
CCREL:ccrel
CCQUERY:ccquery
CDXWEB:winplu5
DRUG1:fdb3schema
DRUG2:fdb3schema
enc_ent:encent
ENT:entpazz
ENT_CONFIG:ent_configpazz
ADF:adfpazz
INF:infpazz
INF_CONFIG:inf_configpazz
SDM:sdmpazz
STRMADM:pazzw0rd
ENT_AUD:pazzw0rd
ENT_ARCH:pazzw0rd
POC_ARCH:pazzw0rd
POC_AQ:qmanager
INF_AQ:qmanager
DATAMGR:datamgr
CCUSER:bueno
ALERTS:monitorhca
HCALERTS:alertsuser
AM:ampazz
AM_AUD:pazzw0rd
AUD:audpazz
TMF:tmfpazz
MN:mnpazz
EH:ehpazz
NG:ngpazz
DM:dmpazz
DMTOOL:dmtoolpazz
STG_DMT:stg_dmtpazz
WRL:wrlpazz
NOTES:notespazz
REPORTS:reportspazz
ICONS:iconspazz
BS:bspazz
QZ:qzpazz
RM:rmpazz
RM_AUD:pazzw0rd
COMMGR:commgrpazz
OPSERVICE:opservicepazz
SEC_CONFIG:sec_configpazz
CTXSYS:ctxsyspazz
OLOGY:ologypazz
OLOGY_CONFIG:ology_configpazz
DOC:docpazz
DOC_CONFIG:doc_configpazz
PORTAL:portal
PORTAL_INSTALL:portal_install
EBIDBADMIN:ebidbadmin
DESIGN_OWNER:owb
OWB_RUNTIME_REPOSITORY:owb
RUNTIME_A_USER:owb

Despite having a "central" password file that contains the credential information, much of the credentials
are hardcoded throughout binaries and scripts that are shipped as part of the HCI Infrastructure server.

cd /u/live

find . -type f -print | xargs grep ccnull | wc -l

85

Here is some context of how the credentials are used throughout the HCI code:

find . -type f -print | xargs grep ccnull

./RUN_dmArchive:remote_db=`sqlplus -s ccdba/ccnulls$DB_SPEC_IF_REMOTE << EOF
./all_ord:LOGIN=ccdba/ccnulls
./bin/BatchDischarge:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
./bin/CheckDischargeRpts:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"
./bin/Make_iv_template:sqlldr ccdba/ccnulls iv_bottle >> $LOG
./bin/Make_iv_template:ORD_SEQ=`sqlplus -S ccdba/ccnulls$DB_SPEC_IF_REMOTE <<- ENDSQL

McKesson supports HCI on the AIX, HP-UX, and Linux passwords. The nature of hardcoded passwords implies
that for every customer that has purchased HCI, the credentials for all of these role accounts are the same across the
installations.

According to the following press release, http://www.oracle.com/corporate/press/2008_mar/em-mckesson.html, McKesson
software is installed in 70% of hospitals within the US. HCI serves as the core infrastructure
component of other McKesson applications such as Horizon Lab, Horizon Patient Folder, Horizon CareLink,
Horizon Expert Documentation, etc.

JSON