How does Dentrix G6.2 Authentication work?
I thought since Dentrix G6.2 has arrived I would check out how the Authentication works and more importantly, if there were any vulnerabilities. So let's check it out!
As you can see from the above the now allow running Dentrix as a Standard User. This is GREAT! Also they have moved away from a Database GUID to Database User Password. GREAT!
Can we still read the database with Faircom ACE?
The first thing I did was to see if I could read the Database on another Faircom ACE Server. This was still possible even though the system tables have now been camouflaged and you need the same exact version of the Faircom ACE Server or HIGHER to read this database. So try out Faircom ACE 11.0 if you would like to just read your database files as an alternative method.
How does the new Database Passphrase authentication work?
Each client has to know the database passphrase to connect to the database. This is now saved locally in %ProgramFiles%\Dentrix\dtx.config. This file tells the client what the password is for ADMIN and DTXUSER. When you change the passphrase for the database it also changes the passwords for ADMIN and DTXUSER
How do other companies access the Dentrix Database?
Other companies have to use the Dentrix Developer Program to access the database. At some point of the installation you must run a DTXCreateUser type program that will add a user for the company to talk to the database. As far as I can tell the new USERNAME is RANDOMLY created and the password is hard-coded and added to the G6 database. This information is saved in the Apteryx Config folder in a file called DentrixG6_2_DRL_helper.DAT which is encrypted. So when a client wants to connect it reads this file and then connects.
Apteryx Credentials Example:
Username:AlUiAhPxGmotvvrpXcdDIJIWnfVzsVg
Password:dQaHHxEWO7JxYf4HdEKppyT5bJEswpJVaa0Vp2EWnAYvT2RUBB
Apteryx Credentials Example:
Username:AlUiAhPxGmotvvrpXcdDIJIWnfVzsVg
Password:dQaHHxEWO7JxYf4HdEKppyT5bJEswpJVaa0Vp2EWnAYvT2RUBB
I am *pretty* sure the usernames are randomly generated. If they are off of a list, then I think this could be vulnerable to anyone that has the list as the password is pretty easy to find.
So are there any vulnerabilities? Just one. Hard coded credentials for unknown users that can access patient data.
When you install Dentrix there are 4 database users. ADMIN and DTXUSER seem safe from hackers trying to steal patient data from Wifi or a server exposed to the internet. But 2 usernames stand out in this list. DDPUSER has a password that is "DvLprPgM" without quotes. I have seen this password before, I believe in G6.1
I logged in, and DDPUSER could access the patient table without a problem. I reinstalled Dentrix with a different servername and different serial number and different passphrase, and the password remained same. The DPDBACCESS user has the same level of access and his password is: Xb9jH71t
With Dentrix G6 and G6.1 the hard-coded username and password that can access patient data is:
Username: NSFXNHWAABSZ Password: JH48t7xu
![]()
With Dentrix G6 and G6.1 the hard-coded username and password that can access patient data is:
Username: NSFXNHWAABSZ Password: JH48t7xu
Is the social security number encrypted like Eaglesoft 18?
No. They are plain-text see the screenshot above. Although I did google the hard coded credential for DDPUSER and I never found anything on public ftp servers that stored patient data. So, that is a plus. At least I won't have to worry about the fuzz. (joke)
Are the ADMIN and DTXUSER passwords hard to find?
No. These are of course based off of a Database Passphrase that YOU decide, but let's say you want ODBC access. If your database passphrase is "TESTtest1." without quotes then your passwords are:
ADMIN: mu5MAa959n9w3SK2MnvP0OwbnO7CjmKdRh8Ajv92ZTtEm9c7Ny
DTXUSER: C0w3qb5Hcd3OTFGlzA75sKR6hRfzgyxvMugsBDQBQUSkdaqAS4
Enjoy! ;)