Breaking Down the Dynix Door

by iCe799  (ice799@linuxmail.org)

Disclaimer:  What you do with this is your choice.  Do good, not bad.

Now that that's over with... the Dynix Door.

Dynix is a pretty sexy looking app that (so far) I've only seen on *NIX boxes.  All of the instances of Dynix I've seen were for libraries all around the U.S.  There are a few major security holes/vulnerabilities in this "librarian's-dream-come-true."  And the treasures of exploiting such holes may or may not be more or less then you expect.

What You Can Expect

Some of the various systems I have been looking through contain very interesting personal information.  Information which should not be used for malicious purposes.  I would advise anyone finding that these methods work alert the system administrator immediately.

I've seen things such as names, birthdays, addresses, email addresses, guardian's names (if patron is less than 18), guardian's work number (if patron is less than 18), driver's license (if patron is less than 18, then guardian's license), current school, past overdue items, current overdue items, fines owed, refunds owed, and "special" notes.

Where You Can Find Targets

Use your favorite search engine and look for libraries with Telnet access or go to: www.libdex.com/vendor/epixtech,_inc_.html

That site provides a list of libraries using Dynix.  Some of them may not offer Telnet, and a few of the ones that do offer Telnet might not be vulnerable.  But that is pretty rare from what I've seen.

Common Accounts

There are quite a few common accounts to be harvested on Dynix.

The most common accounts I've seen are exec (this uses the graphical interface and usually superuser privs), texec (this is commonly a shell with superuser privs), uv, conv, circ or variations like qcirc, tcire, mcirc - sometimes using the first letter of the library's name.

For example, Xavier's Library of Godliness may have an account called xcirc.  These accounts are used by the librarians for checking in, checking out, paying fines, updating personal records, etc.  There are also accounts such as makefile and upgrade.

This next part may surprise you as it surprised me - many of these accounts are unpassworded.

I actually found a system with the account uv with superuser privs which was unpassworded!  Nice job, sysadmin!

My first recommendation is to try some of these accounts with no password or with their logins as passwords.  I've seen conv with superuser privs and its password: c0nv

I have also found that the password for makefile and upgrade has been the word: easy

Public Usage Accounts

These are accounts that are set up by the library or other organization to allow public access to the computer with a special shell that restricts usage.

For example, my local library has an account called library which anyone can login into with no password which only lets you browse for books and check to see what books you have out.  These accounts are usually listed either on the library's home page or in the banner you get when you Telnet to them.  Most of these accounts will have no password and they are the basis for the attack below.

Security Holes

O.K., let's say you tried the accounts listed above and you got nothing.

Here are a few other techniques which you can use.  I found that many of the UNIX boxes running Dynix have rsh, rexec, and/or rlogin running along with Finger, Daytime, Telnet, FTP, and some other miscellaneous services.  I believe that some of these services may be enabled at or during the installation of Dynix .  The first thing that caught my attention were the Berkeley r-command services.  This attack is relatively simple.

  1. Download some sort of rsh, rexec, rlogin client.

  2. Telnet to the IP of the library or whatever organization.  There should be some sort of public login displayed in their banner.  In many cases library or public will be a public login.  You do not need to log in.  You just need to know the public login and password (if there is a password).

  3. Now go to your "r" client and use rsh first - put in the IP, the login, and the password (if there is one) and for the command to execute, try: ls -al

  4. If you get a list of files, smile and show your teeth.  You can now move on to Step 7.

  5. If rsh is unsuccessful, go to Step 3 and try rexec.

  6. If rexec is unsuccessful, go to Step 3, and as a last resort try rlogin.

  7. Try to get the password file: /etc/passwd, /etc/shadow, blah, blah, blah...  (I have actually gotten most of my password files from /etc/shadow using rsh).

  8. Load up the password file into John the Ripper and get a good dictionary file - begin cracking.

  9. Enjoy.

What To Do Now

Alerting the system admin is always a good thing to do.

Once you get one of the circulation accounts (i.e., xcirc), you can check books out, return books, pay fines off, etc.  This all sounds kinda pointless unless you know what to do with it all.  (Hint:  Some libraries have DVDs.)  You also have access to all of the personal info listed above.

But you really should tell the system admin.

I mean think about it, you have all this personal info at your disposal.  It's a kind of bad power to have, it's a temptation, and I don't know, I kind of wanted this all to be used for "good" so just tell the freaking system admin.  Why go to jail for library fines?

Good luck - have fun exploring.

Shouts: v0L|3i, schemexgod, jen, d3mize, tortilleria22, tan(x), and any future "members" of SSD.
Return to $2600 Index