General NAS-Central Forums

Welcome to the NAS community
It is currently Sun Oct 22, 2017 8:59 pm

All times are UTC




Post new topic Reply to topic  [ 35 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: NSA-2400 backdoor?
PostPosted: Tue May 28, 2013 9:31 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
Is there any possiblebackdoor for a NSA-2400?

I know itś a i386 running embedded linux, apache web srv.

The old bios seems to boot from a USB stick, but I've got a new bios version now? Downgrade won't work.

Als the stick FPP won't work.

Seems to be a rather good closed thing.


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Wed May 29, 2013 8:26 am 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6049
Do you have a firmware file for me? I can't find it @ZyXEL.


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Wed May 29, 2013 3:23 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
Hi MijZelf (funny name ,btw it's the dutch word for Myself :D),

Let me explane. Got a minute?

The firmware is not on the regular place, but you can find it here:ftp://ftp.zyxel-tech.de/2.new_mirror/NSA-2400/firmware {
Don't ask me why those guys put it here.}

All versions are here, the latest beeing NSA-2400_2.15(AFA.0)C0.fwp in this version the BIOS file comes separately (beeing: bios-r12d-r18.fwp)

It seems that the original bios was configured to boot from USB if a bootable device was connected at system startup. Now obviously, when I bought it the latest Bios was installed (;-<). So if you know how to downgrade it? The origional bios or an early version doesn't seem to be anywhere.

It seems to be a i386 (1.3GHz VIA C3 processor). With Embedded Linux 2.6 as OS (quite nice).

Then I tried to extract the *.fwp file to see if there are anyback doors. But I don't know how to extract this file.

I saw your fw_extract program but I don't know if this is a i386 linux binary (it say it is ELF but I can't run in on an intel machine).

I just installed 1Gb RAM in this machine and that worked quite well (it is show in the admin console so I think this worked). I'm dying to get this box open to boot linux or to get a telnet connecting to it (with root access).

So if you know of any backdoor like the other zyxtel NAS-systems. Please tell me.

Regards.
Arnoud.


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Wed May 29, 2013 6:33 pm 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6049
Hm. The firmware is not helpful. The fwp files have a 128 bytes header, followed by a salted, encrypted payload. Without key impossible to decrypt. There seems to be one 'universal' key in ZyXEL firmwares, the content of /etc/ZyPrivate, but none of the cyphers supported by openssl could decrypt it with that key.

When I looked at the NSA2401 firmware (which is a totally different PowerPC based box) I found that it supports usb_key_func.sh. So maybe yours does either. You can try. Download universal_usb_key_func.zip, extract it to a FAT formatted USB stick, rename nsa220_check_file to nsa2400_check_file, rename usb_key_func.sh.telnet to usb_key_func.sh.2, plug it in the NAS, and reboot it. Maybe it has a telnet daemon running after reboot.

That fw_extract program is an Arm binary, which is used to extract the different parts of the firmware for a NSA3xx box.


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Wed May 29, 2013 9:13 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
I've read all the stuff about the usb_key_func.sh and I understand what is does. When I put the USB stick in and start the NAS it blinks at first start and is mounted at the second part. But it doesn't seem to run the usb_key_func.sh.2 Then I changed the usb_key_func.sh.2 so it looks like this:
#!/bin/sh

echo HELLO WORLD>/mnt/IAMALIVE.txt
telnetd -l /bin/sh
exit 1

But there is no output on the USB stick after this.

So I think the usb_key_func.sh.2 is not executed at all.

Then I tried different names for the *_check_file like: NSA-2400 or NSA_2400 or NSA2400 uppercase lowercase etc.

No result.

I have the idea it is looking on the USBstick but for a different file.

If you have any suggestions let me know.


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Thu May 30, 2013 7:51 am 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6049
There are 2 possible mountpoints, /mnt/ and /mnt/parnerkey/. The first mountpoint was used on fw <=2.20, and the 2nd on 2.30+. The nsa220_check_file assumes /mnt/parnerkey/, so if it works you should echo to /mnt/parnerkey/IAMALIVE.txt (btw, you used Linux line endings, I hope?).

This firmware versions are for the Arm NASses. The NSA2401 fw 1.20 uses /mnt/parnerkey/

If the mountpoint is /mnt/ you should use nsa220_check_key.220-


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Thu May 30, 2013 6:52 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
I tried it both ways so with the /mnt and with the /mnt/partnerkey it doesn't seem to work. I'm now looking on ways to get the old bios back. Tried to set the battery jumper, no result. Press (and hold the Bios Reset button), no result.
I think that maybe the file name like nsa2400_check_file is not what is expected at boot time. If you have other suggestions let me know.


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Thu May 30, 2013 7:01 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
Oh yeah. The partner key should work because I found an article from ZYtech News Vol.5 No.7
July 2009: Upgrade NSA2400's FW via USB Partner Key
So it should work. The article itself is gone sadely. tried several name combinations.


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Thu May 30, 2013 7:38 pm 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6049
Partner key? Some typo somewhere? The mount place for an usb_key_func.sh key is /mnt/parnerkey without 't'.

Anyway, there might be other attack vectors.
  • I suppose you already did a portscan?
  • In the manual I read the box has a reset button to reset the password. Maybe it can also open a telnet backdoor.
  • Have you checked the board for a serial port?
  • A ext2/3 formatted USB stick containing a symlink to /
    Code:
    ln -s / /mountpoint/of/stick/root
    might give access to the filesystem root, over samba, nfs or ftp.
  • If you can store your configuration in an extern file, this file might give possibilities to enable telnetd and restore it.
  • Have you ever looked if the disk(s) contains any system configuration files?


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Thu May 30, 2013 9:34 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
suppose you already did a portscan?
>> Yes, every single time :D

In the manual I read the box has a reset button to reset the password. Maybe it can also open a telnet backdoor.
>> No what happend is that the configuration got reset.

Have you checked the board for a serial port?
>> Isn't there opened the cabinet, not on the mainboard

A ext2/3 formatted USB stick containing a symlink to /
Code:
ln -s / /mountpoint/of/stick/root
might give access to the filesystem root, over samba, nfs or ftp.
>> Created a new partition on the USB (fdisk and mkefs) the made the symbolic link, didn't work out. It doesn't show the symbolic links.

>>Then I tried with an USB and made a ExtVolume1 JBOD on it in the WebAdmin. Put it into a linux laptop and installed lvm2. Then created symbolic links to root, etc, var and mnt.

And that worked!!! :D

I'm now looking into the files to see if the usb_key_func.sh is executed in the init RC somewhere...

To be continued.


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Fri May 31, 2013 12:21 pm 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6049
It's probably in /etc/init.d/rcS


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Fri May 31, 2013 12:26 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
I think I found a lot, but haven't tested it...

I've copied alle the files of / (;->)

Then I Checked if the deamon binary is there, no bin no live!
telnetd found in \usr\bin !
sshd found in \usr\bin !

- searched for text "usb_key_func.sh" in all scripts: No result!
- searched for text "parner" in all scripts: No result!
No it's not the same as the universal_key_func procedure


But I got the DMESG:
- Linux version 2.6.15.7
- root@NSA-2400_BM) (gcc version 3.4.3 (MontaVista 3.4.3-25.0.70.0501961 2005-12-18) http://en.wikipedia.org/wiki/MontaVista http://www.mvista.com/
- console=tty0 (where is this?)

Found parameter "USBKEY" in S93nasinit.sh this script is calling: /usr/local/enas/sbin/MountUsbkey.sh and this script is sourcing: source /usr/local/enas/sbin/default_settings setting: USBKEY_ROOT="/e-data/usbkey"

USBKEY_ROOT="/e-data/usbkey"

in MountUsbkey.sh:
IDENTITY=${USBKEY_ROOT}/key_identity <- this is important!


This file is checked for
USB4 /dev/sde volume1_a45b4093 UNKNOWN N/A KB xfs yes scsi_id=4:0:0:0 (this is from the map file)


And all USB ports are mounted (allways on /e-data/usbkey/) and checked for

/key_identity - file <- In this Should be the word "FEATURE" 1 or "BURNIN" 2 or "PARTNER" 3 of "EMPTY" 255


"PARTNER" 3
There is a check sum check (quit complex) <- Haven't tried this yet

The file that is executed is:
/e-data/usbkey/p_setup.sh

But
"BURNIN" 2 <- looks quite simple and without a check (;->)
/e-data/usbkey/BIT_files/StartBIT.sh is always executed!

so I made a ./BIT_files/StartBIT.sh (copy of usb_key_func.sh.2)

But there's an extra backdoor (the last step in the script always calls a script):
/e-data/usbkey/p_setup.sh

It seems to be executed allways?
So I also placed a p_setup.sh on the USB stick. Just incase.

Have to test this tonight :D


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Fri May 31, 2013 1:36 pm 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6049
roeby wrote:
- console=tty0 (where is this?)
It's a serial port. But it could be anything from only 3 solder islands on the mobo, to a 3-pin header, to a fully equipped 25 pin sub-d connector.

Can you upload the contents of /etc somwhere? Is it much?


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Fri May 31, 2013 1:42 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
Yes it is much (every thing)

Also found:
--------------------------
if( $form->start ){

$msg = "Please inform remote assistant that Remote Help system is successfully turned on.";
$script='BackDoorOpenSSH.sh';


if (ZynasUtils::exec($script, $output) != 0)
{
$this->log->debug('Utils',"Apply $script Error", __LINE__);
$msg = "Remote Help Failed";
------------------------------
In RemoteHelpAction.php in \opt\WEB-INF\classes

Have to try this also tonight..
I guess I can call this with: http://192.1658.1.3/RemoteHelpAction.php or http://192.1658.1.3/classes/Utils/RemoteHelpAction.php?

So we've got multiple options here :D


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Fri May 31, 2013 4:24 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
ssh is running now after putting the following in the .. file

#!/bin/sh

echo "Hello World USB Key">/e-data/usbkey/IAMALIVE.txt

/usr/sbin/telnetd
/usr/sbin/sshd
exit 1

Your line for telnet didn't work

I've got the passwd file so either brute force the pwd or you might have a clue?
root:b9Yd5w16x9v/U:0:0:root:/root:/bin/bash
NsaRescueAngel:wrvDZs49NKhK6:997:97::/tmp:/bin/su


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 35 posts ]  Go to page 1, 2, 3  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group