July 28, 2005
Getting root access on Fastora NAS-T4
The Fastora NAS-T4 is a rather inexpensive RAID array which runs FreeBSD. I purchased one of these so I could have a large amount of NAS storage available for all my machines to backup to. One complaint I had was that I wanted shell access so I could make any config changes I want to it. The product allows root ssh access, but loads into their custom shell which only lets you perform a few restricted things.**
The information that follows can be used to potentially render your NAS-T4 inoperable. If you do this don't expect Fastora to help you. They lock you out of root for a reason.
**
Fortunately the designers of this custom shell don't know enough about validating user input. The ping utility they're nice enough to provide can be used to execute arbitrary commands on the NAS-T4 as root since it just hands off whatever you type to the shell as an argument to ping. So when prompted for an IP address, a simple IP of "192.168.0.1 ; cat /etc/passwd" is nice enough to show us /etc/passwd, albeit severely unreadable because of their gui's screen formatting. No matter, though, because something as simple as "192.168.0.1 ; cp -R /etc /volume1/public1" will copy the entire /etc folder over to the default shared directory that it should have created when you setup the NAS-T4. From there you're free to browse all the files in /etc to your heart's content.
Now for some useful tricks. If you ever try to ssh in using a non-root account you've created you get a Login Denied error. To fix this, just ping "192.168.0.1 ; rm /var/run/nologin". Now your non-root accounts will login and get a shell. Nice.
Of course, the real goal is root, so let's do that. The quickest way to do that is a simple ping to "192.168.0.1 ; mv /root/bin/uishell /root/bin/uishell.old ; ln -s /bin/sh /root/bin/uishell". Now try to ssh in as root and you're greeted with a beautiful sight:
_____________________________________________________________
| |
| Welcome to Synology Filer! |
|___________________________________________________________|
root> id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 99(users)
root>
Posted 1 week, 3 days ago on July 28, 2005
The trackback url for this post is http://www.colynx.com/~bsneddon/blog/bblog/trackback.php/11/
The trackback url for this post is http://www.colynx.com/~bsneddon/blog/bblog/trackback.php/11/
Comments have now been turned off for this post