mirror of
https://github.com/fdiskyou/Zines.git
synced 2025-03-16 00:00:03 +01:00
854 lines
36 KiB
Text
854 lines
36 KiB
Text
==Phrack Inc.==
|
|
|
|
Volume Four, Issue Thirty-Nine, File 6 of 13
|
|
|
|
Centigram Voice Mail System Consoles
|
|
Proper Entry Procedure, Design Flaws, and Security Bugs
|
|
|
|
by >Unknown User<
|
|
|
|
*** Note from Phrack Staff: This file was submitted to Phrack anonymously. ***
|
|
*** The author used SMTP fake mail to send it to the Phrack e-mail address. ***
|
|
*** Phrack cannot make any claims about the validity or the source of the ***
|
|
*** information found in this article. ***
|
|
|
|
Due to more efficient task-handling and the desire for a more "Unix-like"
|
|
environment, the developers at Centigram needed for certain key functions to be
|
|
available at all times. For instance, the ^Z key acts as the "escape" key
|
|
(these can be remapped, if desired). When necessary for some applications to
|
|
use an "escape" procedure, pressing this key can, in at least a few cases,
|
|
cause a drop to shell, or /cmds/qnxsh (possibly /cmds/sh, as well, but I'm used
|
|
to seeing qnxsh). If this escape procedure was invoked during, say,
|
|
/cmds/login, the resulting drop to shell would by-pass the "Enter Passcode:"
|
|
message. And it does.
|
|
|
|
After calling the Centigram, normal procedure is to hit ^Z to activate the
|
|
terminal, followed by the entry of the remote or console passcodes, and then
|
|
proceeding with normal console activities. However, if ^Z is continually
|
|
depressed during the login sequence, the login program will abort and run
|
|
/cmds/qnxsh. The behavior may be somewhat erratic by the repeated use of the
|
|
escape key, but when the $ prompt appears, usually, it doesn't deliberately go
|
|
away without an "exit" command or a ^D. Typically, a login pattern can develop
|
|
to accommodate the erratic behavior something along the lines of: continuously
|
|
depress ^Z until $ prompt appears, hit return, possibly get "Enter Passcode:"
|
|
message, hit return, and $ prompt appears again, set proper TTY setting, and
|
|
change directory appropriately, and continue with normal console functions.
|
|
|
|
Initial STTY Setting:
|
|
|
|
I've had problems with my terminal settings not being set properly during
|
|
the above entry procedure. I can correct this by using the "stty +echo +edit"
|
|
command, and, for my terminal, all is restored. The correct values for STTY
|
|
options and keys appear to be:
|
|
|
|
Options: +echo +edit +etab +ers +edel +oflow +mapcr +hangup
|
|
break=03h esc=1Ah rub=7Fh can=18h eot=04h up=15h
|
|
down=0Ah left=08h ins=0Eh del=0Bh
|
|
|
|
The keymap, of course, can be modified as desired, but the options,
|
|
especially +edit, appear to be necessary.
|
|
|
|
Disks and Directories:
|
|
|
|
The drives and directories are set up in a remotely MessDos fashion. The
|
|
output of a "pwd" command looks similar to "4:/". "4:" represents the drive
|
|
number, and "/" is the start of the directory structure, "4:/" being the root
|
|
directory for drive 4, "3:/tmp" being the /tmp directory on drive 3, etc.
|
|
|
|
The two most important directories are 1:/cmds and 4:/cmds, which contain,
|
|
for the most part, the program files for all of the performable commands on the
|
|
system, excluding the commands written into the shell. The directory 1:/cmds
|
|
should look similar to:
|
|
|
|
$ ls
|
|
backup drel ls rm talk
|
|
chattr eo mkdir rmdir tcap
|
|
choose fdformat mount runfloppy timer
|
|
clrhouse files p search tsk
|
|
cp frel pack sh unpack
|
|
date get_boolean patch slay ws
|
|
ddump led pwd sleep zap
|
|
diff led.init qnxsh spatch
|
|
dinit login query stty
|
|
|
|
This is a display of many useful commands. chattr changes the read/write
|
|
file attributes, cp is copy, ddump dumps disk sectors in hex & ascii, led is
|
|
the line editor, p is the file print utility, and a variety of other things
|
|
that you can experiment with at your own leisure. DO NOT USE THE TALK COMMAND.
|
|
At least, be careful if you do. If you try to communicate with your own
|
|
terminal, it locks communication with the shell, and upon hangup, for some
|
|
reason, causes a major system error and system-wide reboot, which, quite
|
|
frankly, made me say, "Oops. I'm not doing that again" when I called to check
|
|
on the actual voice mailboxes, and the phone line just sat there, dead as old
|
|
wood. I was quite relieved that it came back up after a few minutes.
|
|
|
|
The other directory, 4:/cmds, is filled with more specific commands
|
|
pertaining to functions within the voice mail system itself. These programs
|
|
are actually run from within other programs to produce an easy-to-understand
|
|
menu system. Normally, this menu system is immediately run after the entry of
|
|
the remote or console passcode, but it would not be run when using the
|
|
aforementioned security bug. It can be run from the shell simply by typing the
|
|
name of the program, console.
|
|
|
|
Mounting and Initializing Drives:
|
|
|
|
The MOUNT command produces results similar to this when run without
|
|
arguments:
|
|
|
|
$ mount
|
|
Drive 1: Hard, 360k, offset = 256k, partition= Qnx
|
|
Drive 2: Floppy, 360k, p=1
|
|
Drive 3: RamDisk, 96k, partition= Qnx
|
|
Drive 4: Hard, 6.1M, offset = 616k, partition= Qnx
|
|
$tty0 = $con , Serial at 03F8
|
|
$tty1 = $term1 , Serial at 02F8
|
|
$tty2 = $term2 , Serial at 0420
|
|
$tty3 = $mdm , Serial at 0428
|
|
|
|
The hard and floppy drives are fairly self-explanatory, although I can't
|
|
explain why they appear to be so small, nor do I know where the voice
|
|
recordings go, or if this list contain all the space required for voice
|
|
storage.
|
|
|
|
The ramdisk, however, is a bit more interesting to me. The mount command
|
|
used for the above-mentioned disk 3 was:
|
|
|
|
$ mount ramdisk 3 s=96k -v
|
|
|
|
Although I'm not sure what the -v qualifier does, the rest is fairly
|
|
straight forward. I assume that the size of the drive can be greater than 96k,
|
|
although I haven't yet played with it to see how far it can go. To initialize
|
|
the drive, the following command was used:
|
|
|
|
$ dinit 3
|
|
|
|
Quite simple, really. Now, the drive is ready for use so one can "mkdir
|
|
3:/tmp" or some such and route files there as desired, or use it for whatever
|
|
purpose. If something is accidentally redirected to the console with >$cons,
|
|
you can use the line editor "led" to create a temporary file and then use the
|
|
print utility "p" to clear the console's screen by using "p filename >$cons"
|
|
where filename contains a clear screen of 25 lines, or an ANSI bomb (if
|
|
appropriate), or a full-screen DobbsHead or whatever you like.
|
|
|
|
EVMON and password collecting:
|
|
|
|
The evmon utility is responsible for informing the system manager about
|
|
the activity currently taking place within the voice mail system. Run alone,
|
|
evmon produces output similar to:
|
|
|
|
$ evmon
|
|
Type Ctrl-C to terminate.
|
|
ln 26 tt 3
|
|
ln 26 line break
|
|
ln 26 onhook
|
|
ln 28 ringing
|
|
ln 28 tt 8
|
|
ln 28 tt 7
|
|
ln 28 tt 6
|
|
ln 28 tt 2
|
|
ln 28 offhook
|
|
ln 28 tt *
|
|
ln 28 tt 2
|
|
ln 28 tt 0
|
|
ln 28 tt 3
|
|
ln 28 tt 0
|
|
ln 28 line break
|
|
ln 28 onhook
|
|
[...]
|
|
|
|
And so forth. This identifies a certain phone line, such as line 28, and a
|
|
certain action taking place on the line, such as the line ringing, going on or
|
|
offhook, etc. The "tt" stands for touch tone, and it is, of course, the tone
|
|
currently played on the line; which means that touchtone entry of passcodes can
|
|
be recorded and filed at will. In the above example, the passcode for Mailbox
|
|
8762 is 2030 (the * key, along with the 0 key, can acts as the "user entering
|
|
mailbox" key; it can, however, also be the abort key during passcode entry, and
|
|
other things as well). Now the user, of course, doesn't usually dial 8762 to
|
|
enter his mailbox; he simply dials the mailbox number and then * plus his
|
|
passcode; the reason for this is the type of signalling coming from the switch
|
|
to this particular business line was set-up for four digit touch tone ID to
|
|
route the line to the appropriate called number. This is not the only method
|
|
of signalling, however, as I've seen other businesses that use three digit
|
|
pulse signalling, for example, and there are others as well. Each may have
|
|
it's own eccentricities, but I would imagine that the line ID would be
|
|
displayed with EVMON in most cases.
|
|
|
|
Now, let's say we're on-line, and we want to play around, and we want to
|
|
collect passcodes. We've set up our ramdisk to normal size and we are ready to
|
|
run evmon. We could run it, sit at our terminal, and then record the output,
|
|
but it's such a time consuming task (this is "real-time," after all) that
|
|
sitting and waiting be nearly pointless. So, we use the handy features of
|
|
run-in-background and file-redirection (see, I told you we were getting
|
|
"Unix-like").
|
|
|
|
$ evmon > 3:/tmp/output &
|
|
Type Ctrl-C to terminate.
|
|
5e1e
|
|
$ ...
|
|
|
|
5e1e is the task ID (TID) of the new evmon process. Now we can go off and
|
|
perform whatever lists we want, or just play in the directories, or route
|
|
DobbsHeads or whatever. When we decide to end for the day, we simply stop
|
|
EVMON, nab the file, remove it, and if necessary, dismount the ramdisk.
|
|
|
|
$ kill 5e1e
|
|
$ p 3:/tmp/output
|
|
[ EVMON output would normally appear; if, however, ]
|
|
[ there is none, the file would be deleted during ]
|
|
[ the kill with an error message resulting ]
|
|
$ rm 3:/tmp/output
|
|
$ rmdir 3:/tmp
|
|
$ mount ramdisk 3
|
|
|
|
and now we can ^D or exit out of the shell and say good-bye.
|
|
|
|
The good thing about this EVMON procedure is that you don't need to be
|
|
on-line while it runs. You could start a task sometime at night and then wait
|
|
until the next day before you kill the process and check your results. This
|
|
usually produces large log files anywhere from 40K to 200K, depending upon the
|
|
amount of system usage (these figures are rough estimates). If, however, you
|
|
start the EVMON task and leave it running, then the administrator will not be
|
|
able to start a new EVMON session until the old task is killed. While this
|
|
probably shouldn't be a problem over the weekends, during business hours it may
|
|
become a little risky.
|
|
|
|
Remember though, that the risk might be worth it, especially if the
|
|
administrator decides to check his mailbox; you'd then have his passcode, and,
|
|
possibly, remote telephone access to system administrator functions via touch-
|
|
tone on the mailbox system.
|
|
|
|
Task management:
|
|
|
|
As we have just noted, any task like EVMON can be run in the background by
|
|
appending the command line with a &, the standard Unix "run-in-background"
|
|
character. A Task ID will echo back in hexadecimal, quite comparable to the
|
|
Unix Process ID. The program responsible for task management is called "tsk"
|
|
and should be in 1:/cmds/tsk. Output from running tsk alone should look
|
|
something like:
|
|
|
|
$ tsk
|
|
Tty Program Tid State Blk Pri Flags Grp Mem Dad Bro Son
|
|
0 task 0001 READY ---- 1 ---IPLA----- 255 255 ---- ---- ----
|
|
0 fsys 0002 RECV 0000 3 ---IPLA----- 255 255 ---- ---- ----
|
|
0 dev 0003 RECV 0000 2 ---IPLA----- 255 255 ---- ---- ----
|
|
0 idle 0004 READY ---- 15 ----PLA----- 255 255 ---- ---- 0508
|
|
0 /cmds/timer 0607 RECV 0000 2 -S--P-AC---- 255 255 ---- ---- ----
|
|
0 /cmds/err_log 0509 RECV 0000 5 -S--P--C---- 255 255 0A0A ---- ----
|
|
0 /cmds/ovrseer 0A0A REPLY 0607 5 -S--P--C---- 255 255 ---- ---- 030C
|
|
0 /cmds/recorder 010B REPLY 0509 5 -S--P--C---- 255 255 0A0A 0509 ----
|
|
0 /cmds/master 030C REPLY 0607 5 -S--P--C---- 255 255 0A0A 010B 011C
|
|
[ ... a wide assortment of programs ... ]
|
|
0 /cmds/vmemo 011C REPLY 0110 13 -S-----C---- 255 255 030C 011B ----
|
|
3 /cmds/comm 0508 RECV 5622 8 ----P-A----- 255 255 0004 ---- 5622
|
|
3 /cmds/tsk 051D REPLY 0001 8 ------------ 255 255 301E ---- ----
|
|
3 /cmds/qnxsh 301E REPLY 0001 14 ---------E-- 255 255 5622 ---- 051D
|
|
3 /cmds/login 5622 REPLY 0003 8 -------C---- 255 255 0508 ---- 301E
|
|
|
|
Although I'm not quite sure at some of the specifics displayed in this
|
|
output, the important parts are obvious. The first column is the TTY number
|
|
which corresponds to the $tty list in "mount" (meaning that the modem I've just
|
|
called is $tty3, and I am simultaneously running four tasks from that line);
|
|
the second column is the program name (without the drive specification); the
|
|
third column is the task ID; the middle columns are unknown to me; and the last
|
|
three represent the ties and relations to other tasks (parent task ID, another
|
|
task ID created from the same parent, and task ID of any program called).
|
|
|
|
Knowing this, it's easy to follow the tasks we've created since login.
|
|
Initially, task 0508, /cmds/comm, was run, which presumably contains the
|
|
requisite "what should I do now that my user has pressed a key?" functions,
|
|
which called /cmds/login to log the user in. Login was interrupted with ^Z and
|
|
one of the shells, qnxsh, was called to handle input from the user. Finally,
|
|
the typing of "tsk" requires that the /cmds/tsk program be given a task ID, and
|
|
the output of the program is simply confirming that it exists.
|
|
|
|
As mentioned, to kill a task from the shell, simply type "kill [task-id]"
|
|
where [task-id] is the four digit hexadecimal number.
|
|
|
|
There are other functions of the tsk program as well. The help screen
|
|
lists:
|
|
|
|
$ tsk ?
|
|
use: tsk [f={cmoprst}] [p=program] [t=tty] [u=userid]
|
|
tsk code [p=program]
|
|
tsk info
|
|
tsk mem t=tid
|
|
tsk names
|
|
tsk size [p=program] [t=tty] [u=userid]
|
|
tsk ports
|
|
tsk tsk
|
|
tsk tree [+tid] [+all] [-net]
|
|
tsk users [p=program] [t=tty] [u=userid]
|
|
tsk vcs
|
|
tsk who tid ...
|
|
options: +qnx -header +physical [n=]node s=sort_field
|
|
|
|
I haven't seen all the information available from this, yet, as the plain
|
|
"tsk" tells me everything I need to know; however, you may want to play around:
|
|
there's no telling what secrets are hidden...
|
|
|
|
$ tsk tsk
|
|
Tsk tsk? Have I been a bad computer?
|
|
|
|
See what I mean?
|
|
|
|
ddump:
|
|
|
|
The ddump utility is used to display the contents on a specified blocks of
|
|
the disk. It's quite simple to use.
|
|
|
|
$ ddump ?
|
|
use: ddump drive block_number [-v]
|
|
|
|
Again, I'm not quite sure what the -v switch does, but the instructions
|
|
are very straightforward. Normal output looks similar to:
|
|
|
|
$ ddump 3 3
|
|
Place diskette in drive 3 and hit <CR> <-- this message is always
|
|
displayed by ddump.
|
|
Block 00000003 Status: 00
|
|
000: 00 00 00 00 00 00 00 00 94 00 00 00 00 00 00 00 ................
|
|
010: 01 00 01 00 40 02 00 00 00 02 00 00 00 00 00 00 ....@...........
|
|
020: 00 01 00 FF FF 00 00 97 37 29 17 00 01 01 01 30 ........7).....0
|
|
030: C4 17 8E 62 69 74 6D 61 70 00 00 00 00 00 00 00 ...bitmap.......
|
|
040: 00 00 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 ................
|
|
050: 00 00 00 FF FF 00 00 A5 37 29 17 00 01 01 17 30 ........7).....0
|
|
060: C4 25 8E 6C 6C 6C 00 00 00 00 00 00 00 00 00 00 .%.lll..........
|
|
070: 00 00 00 00 50 0E 00 00 00 0E 00 00 00 00 00 00 ....P...........
|
|
080: 00 01 00 FF FF 7E 05 A8 38 29 17 00 01 01 17 30 .....~..8).....0
|
|
090: C4 28 8F 61 62 63 00 00 00 00 00 00 00 00 00 00 .(.abc..........
|
|
0A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
|
0B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
|
[...etc...]
|
|
|
|
As you can probably notice, what we have here is the directory track for
|
|
the ramdisk. It lists three files, even though the file abc no longer exists.
|
|
The actual bytes have yet to be decoded, but, as far as the ramdisk goes, I
|
|
suspect that they'll be memory related, and not physical block related; that
|
|
is, I suspect that some of the numbers given above correspond to the memory
|
|
address of the file, and not to the actual disk-block. So, at least for the
|
|
ramdisk, finding specific files may be difficult. However, if you only have
|
|
one file on the ramdisk besides "bitmap" (which appears to be mandatory across
|
|
all the disks), then the next file you create should reside on track 4 and
|
|
continue working its way up. Therefore, if you have evmon running and
|
|
redirected to a file on the ramdisk, in order to check the contents, it's not
|
|
necessary to kill the process and restart evmon, etc. Simply "ddump 3 4" and
|
|
you could get either useless information (all the bytes are 00 or FF), or you
|
|
could get something like:
|
|
|
|
$ ddump 3 4
|
|
Place diskette in drive 3 and hit <CR>
|
|
|
|
Block 00000004 Status: 00
|
|
000: 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 ................
|
|
010: 6C 6E 20 20 32 36 20 74 74 20 33 1E 6C 6E 20 20 ln 26 tt 3.ln
|
|
020: 32 36 20 6C 69 6E 65 20 62 72 65 61 6B 1E 6C 6E 26 line break.ln
|
|
030: 20 20 32 36 20 6F 6E 68 6F 6F 6B 1E 6C 6E 20 20 26 onhook.ln
|
|
040: 32 38 20 72 69 6E 67 69 6E 67 1E 6C 6E 20 20 32 28 ringing.ln 2
|
|
050: 38 20 74 74 20 38 1E 6C 6E 20 20 32 38 20 74 74 8 tt 8.ln 28 tt
|
|
060: 20 37 1E 6C 6E 20 20 32 38 20 74 74 20 36 1E 6C 7.ln 28 tt 6.l
|
|
070: 6E 20 20 32 38 20 74 74 20 32 1E 6C 6E 20 20 32 n 28 tt 2.ln 2
|
|
080: 38 20 6F 66 66 68 6F 6F 6B 1E 6C 6E 20 20 32 38 8 offhook.ln 28
|
|
090: 20 74 74 20 2A 1E 6C 6E 20 20 32 38 20 74 74 20 tt *.ln 28 tt
|
|
|
|
And so forth, thus making sure that the file does have some content.
|
|
Depending upon the length of that content, you could then choose to either keep
|
|
the file running, or restart evmon and buffer the previous output.
|
|
|
|
led:
|
|
|
|
The program "led" is Centigram's answer to a standard text editor. It is
|
|
equivalent to "ed" in Unix or "edlin" in MS-DOS, but it does have its minor
|
|
differences. "led" is used to create text files, edit existing log files, or
|
|
edit executable shell scripts. By typing "led [filename]", you will enter the
|
|
led editor, and if a filename is specified, and it exists, the file will be
|
|
loaded and the editor set to line 1. If there is no filename on the command
|
|
line, the file does not exist, or the file is busy, then led begins editing a
|
|
null file, an empty buffer, without the corresponding filename.
|
|
|
|
Commands can also be specified to be used in led after the filename is
|
|
entered. If needed, you can experiment with this.
|
|
|
|
Notable commands from within led:
|
|
|
|
i insert
|
|
a append
|
|
w [filename] write to disk; if no file is named, attempt to
|
|
write to current file; if there is no current
|
|
file, do not write.
|
|
d delete current line
|
|
a number goto line numbered
|
|
q quit (if not saved, inform user to use "qq")
|
|
qq really quit
|
|
|
|
When inserting or appending, led will prompt you with a "." period. To
|
|
end your entry, simply enter one period alone on a line and you will then
|
|
return to command mode. When displaying the current entry, led will prefix all
|
|
new, updated lines, with the "i" character.
|
|
|
|
The key sequence to enter a DobbsHead into a file and redirect it to the
|
|
console, then, would be:
|
|
|
|
$ led 3:/dobbshead
|
|
3:/dobbshead : unable to match file
|
|
i
|
|
. ___
|
|
. . / \
|
|
. . | o o |
|
|
. . | Y |
|
|
. U===== |
|
|
. \___/
|
|
. FUCK YOU!
|
|
q
|
|
?4 buffer has been modified, use qq to quit without saving
|
|
w 3:/dobbshead
|
|
7 [the number of lines in the file]
|
|
q
|
|
$ p 3:/dobbshead > $cons
|
|
$ rm 3:/dobbshead
|
|
|
|
Ok, so it's not quite the DobbsHead. Fuck you.
|
|
|
|
The console utility:
|
|
|
|
The program that acts as the menu driver for the Voice Mail System
|
|
Administration, the program that is normally run upon correct passcode entry,
|
|
is /cmds/console. This program will simply produce a menu with a variety of
|
|
sub-menus that allow the administrator to perform a wide assortment of tasks.
|
|
Since this is mostly self-explanatory, I'll let you find out about these
|
|
functions for yourself; I will, however, add just a few comments about the
|
|
console utility. The first menu received should look like this:
|
|
|
|
(c) All Software Copyright 1983, 1989 Centigram Corporation
|
|
All Rights Reserved.
|
|
|
|
MAIN MENU
|
|
|
|
(M) Mailbox maintenance
|
|
(R) Report generation
|
|
(S) System maintenance
|
|
(X) Exit
|
|
|
|
Enter letter in () to execute command.
|
|
When you need help later, type ?.
|
|
|
|
COMMAND (M/R/S/X):
|
|
|
|
The mailbox maintenance option is used when you want to find specific
|
|
information concerning mailboxes on the system. For instance, to get a listing
|
|
of all the mailboxes currently being used on the system:
|
|
|
|
COMMAND (M/R/S/X): m
|
|
|
|
MAILBOX MAINTENANCE
|
|
|
|
(B) Mailbox block inquiry
|
|
(C) Create new mailboxes
|
|
(D) Delete mailboxes
|
|
(E) Mailbox dump
|
|
(I) Inquire about mailboxes
|
|
(L) List maintenance
|
|
(M) Modify mailboxes
|
|
(P) Set passcode/tutorial
|
|
(R) Rotational mailboxes
|
|
(S) Search for mailboxes
|
|
(X) Exit
|
|
|
|
If you need help later, type ?.
|
|
|
|
COMMAND (B/C/D/E/I/L/M/P/R/S/X): i
|
|
Report destination (c/s1/s2) [c]:
|
|
|
|
Mailbox to display: 0000-9999
|
|
|
|
>>> BOBTEL <<<
|
|
Mailbox Data Inquiry
|
|
Tue Mar 31, 1992 3:07 am
|
|
|
|
Box Msgs Unp Urg Rec Mins FCOS LCOS GCOS NCOS MWI Passwd
|
|
8001 1 1 0 0 0.0 5 5 1 1 None Y
|
|
8002 0 0 0 0 0.0 5 5 1 1 None Y (t)
|
|
8003 0 0 0 0 0.0 12 12 1 1 None Y
|
|
8005 0 0 0 0 0.0 12 12 1 1 None Y
|
|
8006 6 6 0 0 0.7 12 12 1 1 None N
|
|
8008 0 0 0 0 0.0 5 5 1 1 None Y
|
|
8013 0 0 0 0 0.0 12 12 1 1 None 1234
|
|
8014 0 0 0 0 0.0 5 5 1 1 None Y
|
|
8016 0 0 0 0 0.0 12 12 1 1 None Y
|
|
[ ... etc ... ]
|
|
|
|
This simply lists every box along with the relevant information concerning
|
|
that box. Msgs, Unp, Urg, Rec are the Total number of messages, number of
|
|
unplayed messages, number of urgent messages, and number of received messages
|
|
currently being stored on the drive for the mailbox; Mins is the numbers of
|
|
minutes currently being used by those messages; F, L, G, and NCOS are various
|
|
classes of service for the mailboxes; MWI is the message waiting indicator, or
|
|
service light; and Passwd is simply a Yes/No condition informing the
|
|
administrator whether the mailbox currently has a password. The "(t)" in the
|
|
password field means the box is currently in tutorial mode, and the "1234" that
|
|
replaces the Y/N condition, which means the box is set to initial tutorial mode
|
|
with simple passcode 1234 -- in other words the box is available to be used by
|
|
a new subscriber. Mailboxes with FCOS of 1 should be looked for: these
|
|
represent administration or service mailboxes, although they are not
|
|
necessarily capable of performing system administration functions.
|
|
|
|
The System Maintenance option from the main menu is very useful in that,
|
|
if you don't have access to the qnxsh, you can still run a number of tasks or
|
|
print out any file you wish from within the menu system. The System
|
|
Maintenance menu looks like:
|
|
|
|
SYSTEM MAINTENANCE
|
|
|
|
(A) Automatic Wakeup
|
|
(B) Automated Receptionist Extensions
|
|
(D) Display modem passcode
|
|
(E) Enable modem/serial port
|
|
(F) Floppy backup
|
|
(G) Resynchronize HIS PMS room status
|
|
(H) Hard Disk Utilities
|
|
(L) Lights test
|
|
(M) Manual message purge
|
|
(N) System name
|
|
(P) Passcode
|
|
(R) Reconfiguration
|
|
(S) System shutdown
|
|
(T) Time and date
|
|
(U) Utility menu
|
|
(V) Call Detail Recorder
|
|
(W) Network menu
|
|
(X) Exit
|
|
|
|
Enter letter in () to execute command.
|
|
When you need help later, type ?.
|
|
|
|
COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X):
|
|
|
|
If you don't have access to the "p" command, you can still display any
|
|
specific file on the drive that you wish to see. Choose "v," the Call Detail
|
|
Recorder option from above, and you will get this menu:
|
|
|
|
COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X): v
|
|
Warning: cdr is not running.
|
|
|
|
CALL DETAIL RECORDER MENU
|
|
|
|
(C) Configure CDR
|
|
(R) Run CDR
|
|
(T) Terminate CDR
|
|
(E) Run EVMON
|
|
(F) Terminate EVMON
|
|
(S) Show CDR log file
|
|
(D) Delete CDR log file
|
|
(X) Exit
|
|
|
|
If you need help later, type ?.
|
|
|
|
COMMAND (C/R/T/E/F/S/D/X):
|
|
|
|
From here, you can use (C) Configure CDR to set the log file to any name
|
|
that you want, and use (S) to print that file to your terminal.
|
|
|
|
COMMAND (C/R/T/E/F/S/D/X): c
|
|
|
|
Answer the following question to configure call detail recorder
|
|
[ simply hit return until the last "filename" question come up ]
|
|
VoiceMemo line numbers enabled:
|
|
HOST 1 lines:
|
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|
|
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
|
|
VoiceMemo line numbers:
|
|
|
|
EVMON: HOST 1 lines to monitor:
|
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|
|
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
|
|
EVMON:VoiceMemo line numbers:
|
|
Message levels are:
|
|
1: Detailed VoiceMemo
|
|
2: VoiceMemo
|
|
3: Pager
|
|
4: Receptionist
|
|
5: EVMON
|
|
6: Automatic WakeUp
|
|
7: Open Account Administrator
|
|
8: DTMF to PBX
|
|
9: Message Waiting Lamp
|
|
10: SL-1 integration
|
|
11: Centrex Integration
|
|
Message levels enabled:
|
|
2 3 7 9
|
|
Message levels:
|
|
cdr enable = [N]
|
|
Enter filename to save log data = [/logfile] /config/remote.cmds
|
|
|
|
Returning from the CDR configuration.
|
|
|
|
CALL DETAIL RECORDER MENU
|
|
|
|
(C) Configure CDR
|
|
(R) Run CDR
|
|
(T) Terminate CDR
|
|
(E) Run EVMON
|
|
(F) Terminate EVMON
|
|
(S) Show CDR log file
|
|
(D) Delete CDR log file
|
|
(X) Exit
|
|
|
|
If you need help later, type ?.
|
|
|
|
COMMAND (C/R/T/E/F/S/D/X): s
|
|
ad
|
|
cd
|
|
copy
|
|
date
|
|
dskchk
|
|
evmon
|
|
files
|
|
ls
|
|
mount
|
|
p
|
|
pwd
|
|
query
|
|
task
|
|
tcap
|
|
what
|
|
|
|
Don't forget to return the filename back to its original name as shown in
|
|
the [] field after you have finished.
|
|
|
|
If you don't have access to the shell, you can also run EVMON, from the
|
|
CDR menu, using option E. It will simply start the evmon process displaying to
|
|
your terminal, interruptable by the break character, ^C. This, unfortunately,
|
|
cannot be redirected or run in the background as tasks running from the shell
|
|
can. If, however, you have some time to kill, you may want to play with it.
|
|
|
|
Also, from the System Maintenance menu, you can perform a number of shell
|
|
tasks without direct access to the shell. Option (U), Utilities Menu, has an
|
|
option called Task. This will allow you limited shell access, possibly with
|
|
redirection and "&" back-grounding.
|
|
|
|
COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X): U
|
|
|
|
UTILITY MENU
|
|
|
|
(B) Reboot
|
|
(H) History
|
|
(T) Task
|
|
(X) Exit
|
|
|
|
Enter letter in () to execute command.
|
|
When you need help later, type ?.
|
|
|
|
COMMAND (B/H/T/X): t
|
|
|
|
Choose the following commands:
|
|
ad cd copy date
|
|
dskchk evmon files ls
|
|
mount p pwd query
|
|
task tcap what
|
|
|
|
Enter a command name or "X" to exit: pwd
|
|
1:/
|
|
|
|
Choose the following commands:
|
|
ad cd copy date
|
|
dskchk evmon files ls
|
|
mount p pwd query
|
|
task tcap what
|
|
|
|
Enter a command name or "X" to exit: evmon
|
|
Type Ctrl-C to terminate.
|
|
ln 29 ringing
|
|
ln 29 tt 8
|
|
ln 29 tt 0
|
|
ln 29 tt 8
|
|
ln 29 tt 6
|
|
ln 29 offhook
|
|
ln 29 record ended
|
|
[ ... etc ... ]
|
|
|
|
A look at "ad":
|
|
|
|
The program "ad" is called to dump information on a variety of things, the
|
|
most useful being mailboxes. Dumps of specific information about a mailbox can
|
|
be done either in Mailbox format, or Raw Dump format. Mailbox format looks
|
|
like:
|
|
|
|
$ ad
|
|
Type #: 0
|
|
Mailbox #: 8486
|
|
(M)ailbox, (D)ump ? m
|
|
|
|
MAILBOX: 8486
|
|
|
|
Login status:
|
|
Bad logs = 3 Last log = 03/26/92 12:19 pmVersion = 0
|
|
|
|
Configuration:
|
|
Name # = 207314 Greeting = 207309 Greeting2 = 0
|
|
Passcode = XXXXXXXXXX Tutorial = N Extension = 8486
|
|
Ext index = 0 Attendant = Attend index = 0
|
|
Code = ID = BOBTECH
|
|
Day_treat = M Night_treat = M Fcos = 12
|
|
Lcos = 12 Gcos = 1 Ncos = 1
|
|
Rot index = 0 Rot period = 0
|
|
Rot start = --
|
|
wkup defined = N wkup freq = 0 wkup_intvl = 0
|
|
wkup index = 0 wkup number =
|
|
|
|
Contents:
|
|
Motd_seq = 8 Motd_played = N User_msgs = 0
|
|
Caller_msgs = 4 Sent_cpx_msgs= 0 Sent_fdx_msgs= 0
|
|
Sent_urg_msgs= 0 Tas_msgs = 0 Pages = 0
|
|
Receipt = 0 Sent_to_node = 0 Urg_to_node = 0
|
|
Net_urg_mlen = 0 Net_msgs_rcv = 0 Net_urg_rcv = 0
|
|
Net_sent_node= 0 Net_send_nurg= 0 Net_send_rcp = 0
|
|
Greet_count = 9 Successlogins= 1 Recpt_calls = 0
|
|
Recpt_complt = 0 Recpt_busy = 0 Recpt_rna = 0
|
|
Recpt_msgs = 0 Recpt_attend = 0 User_connect = 20
|
|
Clr_connect = 22 Callp_connect= 0 Disk_use = 498
|
|
Net_sent_mlen= 0 Net_rcvd_mlen= 0 Net_rcvd_urg = 0
|
|
Net_node_mlen= 0 Net_recip_mlen=0 Net_node_urg = 0
|
|
Text_msg_cnt = 0
|
|
|
|
|
|
Message Queues:
|
|
TYPE COUNT TOTAL HEAD TAIL TYPE COUNT TOTAL HEAD TAIL
|
|
Free 71 --- 58 55 Unplayed 0 --- -1 -1
|
|
Played 2 0.5 56 57 Urgent 0 --- -1 -1
|
|
Receipts 0 --- -1 -1 Undelivered 0 --- -1 -1
|
|
Future delivery 0 --- -1 -1 Call placement 0 --- -1 -1
|
|
|
|
Messages: 2
|
|
# msg # DATE TIME LENGTH SENDER PORT FLAGS MSG SIBL
|
|
(MINS) NXT PRV NXT PRV
|
|
Played Queue
|
|
56 207126 03/26/92 12:17 pm 0.5 000000000000000 27 ------P- 57 -1 -1 -1
|
|
|
|
57 207147 03/26/92 12:19 pm 0.1 000000000000000 29 ------P- -1 56 -1 -1
|
|
|
|
The Raw Dump format looks like:
|
|
$ ad
|
|
Type #: 0
|
|
Mailbox #: 8487
|
|
(M)ailbox, (D)ump ? d
|
|
|
|
HEX: 8487
|
|
000: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
|
|
010: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
|
|
020: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 34 38 |..............48|
|
|
030: 37 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |7...............|
|
|
040: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
|
|
050: 00 00 00 00 00 00 00 00 - 00 00 42 49 4f 54 45 43 |..........BOBTEC|
|
|
060: 48 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |H...............|
|
|
070: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
|
|
080: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 37 32 33 |.............723|
|
|
090: 36 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |6...............|
|
|
0a0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
|
|
0b0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
|
|
0c0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
|
|
[mostly deleted -- the list continues to hex fff.]
|
|
|
|
One of the unfortunate aspects is that the password is not displayed in
|
|
the Mailbox format (Awwww!). I can tell you now, though, that it also isn't
|
|
displayed anywhere in the Raw Dump format. The program "asetpass" was used to
|
|
change the password of a test mailbox, and both full dumps were downloaded and
|
|
compared; they matched exactly. So, it looks like the passcodes are probably
|
|
stored somewhere else, and the dump simply contains a link to the appropriate
|
|
offset; which means the only way, so far, to get passcodes for mailboxes is to
|
|
capture them in EVMON.
|
|
|
|
Intricacies of the login program:
|
|
|
|
The console login program is 1:/cmds/login. Although I can't even
|
|
recognize any valid 8080 series assembly in the program (and I'm told the
|
|
Centigram boxes run on the 8080 family), I did manage to find a few interesting
|
|
tidbits inside of it. First, the console and remote passwords seems to be
|
|
stored in the file /config/rates; unfortunately, it's encrypted and I'm not
|
|
going to try to break the scheme. /config/rates looks like this:
|
|
|
|
$ p /config/rates
|
|
\CE\FFC~C~\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00
|
|
\00\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00\00\00\00\00\00\00\00\00
|
|
\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
|
|
|
|
Accepting the \CE as some sort of control byte, this file is divided up
|
|
into about eight empty sections of five bytes a piece, mostly null, indicating
|
|
that, possibly, there are a number of acceptable passcode combinations, or a
|
|
number of different functions with different passcodes. In this instance, only
|
|
one passcode appears to be selected. I am still unsure, however, whether this
|
|
is actually a password file, or a file that would act as a pointer to another
|
|
space on the disk which contains the actual password. I would assume, for this
|
|
login program, that it is actually an encrypted password.
|
|
|
|
Another very interesting thing sleeping within the confines of the login
|
|
program is the inconspicuous string "QNX." It sits in the code between two
|
|
"Enter Passcode:" prompts, separated by \00s. I believe this to be a system
|
|
wide backdoor placed into the login program by Centigram, Corp. Such a thing
|
|
does exist; whenever Centigram wants to get into a certain mailbox system to
|
|
perform maintenance or solve a problem, they can. They may, however, require
|
|
the serial number of the machine or of the hard drive, in order to get this
|
|
access. This serial number would be provided by the company requiring service.
|
|
|
|
When logging in with QNX, a very strange thing happens.
|
|
|
|
(^Z)
|
|
Enter Passcode: (QNX^M) Enter Passcode:
|
|
|
|
A second passcode prompt appears, a prompt in which the "QNX" passcode
|
|
produces an Invalid Passcode message. I believe that when Centigram logs in
|
|
from remote, they use this procedure, along with either a predetermined
|
|
passcode, or a passcode determined based on a serial number, to access the
|
|
system. I have not ever seen this procedure actually done, but it is the best
|
|
speculation that I can give.
|
|
|
|
I should also make note of a somewhat less important point. Should the
|
|
console have no passcodes assigned, a simple ^Z for terminal activation will
|
|
start the /cmds/console program, and log the user directly in without prompting
|
|
for a passcode. The odds on finding a Centigram like this, nowadays, is
|
|
probably as remote as being struck by lightning, but personally, I can recall a
|
|
time a number of years back when a Florida company hadn't yet passcode
|
|
protected a Centigram. It was very fun to have such a large number of people
|
|
communicating back and forth in normal voice; it was even more fun to hop on
|
|
conferences with a number of people and record the stupidity of the average
|
|
Bell operator.
|
|
|
|
Special Keys or Strings:
|
|
|
|
There are a number of special characters or strings that are important to
|
|
either the shell or the program being executed. Some of these are:
|
|
|
|
? after the program name, gives help list for that program.
|
|
& runs a task in the background
|
|
: sets the comment field (for text within shell scripts)
|
|
; command delimiter within the shell
|
|
> redirects output of a task to a file
|
|
< (theoretically) routes input from a file
|
|
$cons the "filename" of the console (redirectable)
|
|
$tty# the "filename" of tty number "#"
|
|
$mdm the "filename" of the modem line
|
|
#$ ? produces a value like "1920", "321d"
|
|
probably the TID of the current process
|
|
## ? produces a value like "ffff"
|
|
#% ? produces a value like "0020", "001d"
|
|
#& ? produces a value like "0000"
|
|
#? ? produces a value like "0000"
|
|
#* a null argument
|
|
#g ? produces a value like "00ff"
|
|
#i directly followed by a number, produces "0000"
|
|
not followed, produces the error "non-existent integer variable" probably
|
|
used in conjunction with environment variables
|
|
#k accepts a line from current input (stdin) to be
|
|
substituted on the command line
|
|
#m ? "00ff"
|
|
#n ? "0000"
|
|
#p ? "0042"
|
|
#s produces the error "non-existent string variable" probably used in
|
|
conjunction with environment variables
|
|
#t ? "0003"
|
|
#u ? some string similar to "system"
|
|
#D ? "0018"
|
|
#M ? "0004"
|
|
#Y ? "005c"
|
|
|
|
"Centigram Voice Mail System Consoles" was written anonymously. There are no
|
|
group affiliations tied to this file.
|
|
_______________________________________________________________________________
|