What is Eaglesoft?
Eaglesoft is dental software that we call PMS or Practice Management Software. It holds the chart info, insurance, patient info, scheduling, scanned documents and in some cases x-rays if the office is licensed for imaging.
Eaglesoft at one time relied on hard-coded credentials but has now changed the authentication.
When you install Eaglesoft with the server option, the installer installs Sybase SQL Anywhere with a default username and password. It also creates a service called Patterson Application Service, and of course Eaglesoft client itself although this is an option for the server installation. You could just install the database and application service all by itself, though most people install all 3.
Database Password:
If the office has internet access, then the Patterson Application Service will send a server that is hosted on Amazon the Eaglesoft license\serial number and the Amazon Server will respond with sending a username and password that is now assigned to the office installation. This information is stored in C:\Eaglesoft\Data\Eaglesoft.Server.Configuration.data which is encrypted. The Patterson Application Service changes the SQL Anywhere Database to use these credentials from this point forward.
Client Authentication:
When you install Eaglesoft the client, the client doesn't know the credentials for the database. The client will talk to the Patterson Application Service over the LAN to get the credentials, but this is where the vulnerability is. To talk to the Patterson Application Service, you must use a certificate that is installed on the client and server version of Eaglesoft. The certificate itself is stored in the windows certificate store. The certificate can be exported with the private key using the windows certificate mmc console. First the client will ask the Patterson Application Service for a list of Eaglesoft Users which is just a table in the database itself (not database users), to populate the main screen of Eaglesoft. At this point, the client still does not know the database credentials, and is still talking to just the Patterson Application Service. If the password entered for the user is correct, then the Patterson Application Service will give the client the SQL Anywhere database credentials.
What is vulnerable?
This is a pretty good design, except that the Patterson Application Service isn't intelligent enough to know if someone has first gone through the Eaglesoft username and password authentication. If someone reverse engineers the communications and learns the appropriate calls\methods, they could just write a program to ask the Patterson Application Service for the database credentials and the service will give them out to whoever is asking.
1. Eaglesoft runs, talks to Patterson App Service, gets a list of usernames for Eaglesoft.
2. The end user enters the password for an Eaglesoft User and if correct will then receive the database credentials for SQL Anywhere.
Again, the vulnerability is that someone can write a program to bypass the Eaglesoft User authentication and just ask the Patterson Application Service for the SQL Anywhere credentials. That and if the office doesn't have the internet, then the client and server fall back on hard-coded default database credentials.
What can I do to mitigate this problem?
Unfortunately, firewalling or stopping the Patterson Application Service running on the server will break the client authentication, so there isn't really a great way to fix this. At least not until the Patterson Application Service is smart enough to know that the person asking for database credentials, has not yet gone through the Eaglesoft Username and Password authentication which will hopefully be fixed in a future Eaglesoft update.
How have I tested this?
I have access to about 11 different Eaglesoft installations and tested it on about half of them and all half I tested were vulnerable. The installations have different server names and licenses and all of them would give me the database credentials with a tool I put together.