LaCie D2 Network

Ethernet disk mini v2
Post Reply
SuperPoney
Posts: 7
Joined: Mon Jun 01, 2009 11:53 am

LaCie D2 Network

Post by SuperPoney » Mon Jun 01, 2009 4:30 pm

Hi everyone,
I've been playing with my new LaCie D2 network (2.2.2), and tried to open some backdoor in order to launch a telnet session. Here is the specs of the LaCie's D2 network.

First I've opened the NAS and unplugged the hard drive. I've also made a copy of the original disk. I've put a smaller one in my new box ;) It's easy to avoid breaking the warranty seal. This is just a sticker on one of the 4 rear screws. So do not unscrew the one with the sticker and rotate the rear part to get the disk. Here is some pics I've taken :

ImageImage
ImageImage
ImageImage
ImageImage

Then I've plugged the hard drive on my computer and boot with a KNOPPIX live CD :
Here is the partition info (sorry the screen cap is in French) :
Image

Drive's content (the "troppix" folder are created by the liveCD) :
  1. /dev/sda2 : data

Code: Select all

total 4
0 drwxr-xr-x 5 root root   43 2009-05-28 22:46 .
4 drwxr-xr-x 7 root root 4096 2009-06-01 14:09 ..
0 drwxr-xr-x 3 root root   16 2009-05-28 22:46 download
0 drwxr-xr-x 9 root root   93 2009-05-28 22:36 share
0 drwxr-xr-x 2 root root    6 2000-01-02 01:26 tmp
  1. /dev/sda9 : system :?: (659 Mib)

Code: Select all

total 44
 4 drwxr-xr-x 6 root root  4096 2009-05-27 20:03 .
 4 drwxr-xr-x 7 root root  4096 2009-06-01 14:09 ..
 8 -rw-r--r-- 1 root root  5363 2009-06-01 16:52 edconf.xml
 4 drwxr-xr-x 4 root root  4096 2014-11-05 07:58 EDMINI
16 drwx------ 2 root root 16384 2000-01-01 01:00 lost+found
 4 drwxr-xr-x 3 root root  4096 2000-01-01 01:00 snaps
 4 drwxr-xr-x 2 root root  4096 2009-05-30 12:46 troppix
  1. /dev/sda8 : boot :?: (173 Mib)

Code: Select all

total 39
 1 drwxr-xr-x 21 root root   1024 2009-05-27 20:03 .
 4 drwxr-xr-x  7 root root   4096 2009-06-01 14:09 ..
 2 drwxrwxr-x  2 root root   2048 2009-06-01 00:23 bin
 1 drwxr-xr-x  2 root root   1024 2009-03-23 17:45 boot
 1 drwxrwxr-x  2 root root   1024 2009-05-11 12:55 dev
 2 drwxrwxr-x 26 root root   2048 2009-06-01 14:20 etc
 1 drwxr-xr-x  2 root users  1024 2009-03-23 17:45 home
 2 drwxrwxr-x  7 root root   2048 2009-05-11 12:55 lib
12 drwx------  2 root root  12288 2009-05-11 12:54 lost+found
 1 drwxr-xr-x  2 root root   1024 2009-03-23 17:45 media
 1 drwxr-xr-x  2 root root   1024 2009-03-23 17:45 mnt
 1 drwxr-xr-x  2 root root   1024 2009-03-23 17:45 opt
 1 drwxr-xr-x  2 root root   1024 2009-03-23 17:45 proc
 1 drwxr-x---  2 root root   1024 2009-03-23 17:45 root
 2 drwxrwxr-x  2 root root   2048 2009-05-11 12:55 sbin
 1 drwxr-xr-x  2 root root   1024 2009-03-23 17:45 sys
 1 drwxrwxrwt  2 root root   1024 2009-03-23 17:45 tmp
 1 drwxr-xr-x  2 root root   1024 2009-05-30 12:46 troppix
 1 drwxrwxr-x 10 root root   1024 2009-05-11 12:55 usr
 1 drwxrwxr-x 15 root root   1024 2009-05-11 12:55 var
 1 drwxrwxr-x  7 root root   1024 2009-05-11 12:55 www
  1. /dev/sda7 : boot backup :?: (8 Mib)

Code: Select all

total 35
 1 drwxr-xr-x 21 root root  1024 2009-05-27 20:03 .
 4 drwxr-xr-x  7 root root  4096 2009-06-01 14:09 ..
 1 drwxr-xr-x  2 root root  1024 2009-05-11 12:55 bin
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 boot
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 dev
 1 drwxr-xr-x  3 root root  1024 2009-05-30 13:13 etc
 1 drwxr-xr-x  3 root root  1024 2009-05-11 12:55 home
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 include
 1 drwxr-xr-x  4 root root  1024 2009-05-11 12:55 lib
12 drwx------  2 root root 12288 2009-05-11 12:55 lost+found
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 mnt
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 opt
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 proc
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 root
 1 drwxr-xr-x  2 root root  1024 2009-05-11 12:55 sbin
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 snapshots
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 sys
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 tmp
 1 drwxr-xr-x  2 root root  1024 2009-05-30 12:46 troppix
 1 drwxr-xr-x  4 root root  1024 2009-05-11 12:55 usr
 1 drwxr-xr-x  5 root root  1024 2009-05-11 12:55 var
As far I've read on the nas-central forum this NAS looks like a fanless EDmini V2.
I've got some trouble hacking this little thing (this is my first NAS hack). First strange thing the "www/cgi-bin/admin" is now "www/cgi-bin/public".
I've put a backdoor cgi file has Jimmy explain in his blog in "www/cgi-bin/public" of the /dev/sda8 drive.

It works :
Image
but I'm surely missing something with "complex" shell commands :
Image
"cd ..", "ls -lsa", "cd /" are not understood (urlencoding ? how to do that).

So far so good I've made a copy of the "utelnetd" binary inside my www/cgi-bin/public (since I can't use complex command).
Using my backdoor I can call the telnet deamon :
http://cerise/cgi-bin/public/exploit.cgi?utelned

But when I try to telnet my D2 I can't connect. With the admin and root login, telnet directly answer "invalid user" (no password prompt), users created with the web interface let me type a password, but i've got an error and I'm kicked from telnet (error in French "Perte de connection à l'hôte" which can be translated by "connection dropped").

I've tried all this day to create a new user in the passwd and the shadow file as describe in Jimmy's blog without success.
If I modify a file in /dev/sda9/snaps/00/ect/ the file is overwritten.
I've tryed to modify the passwd and shadow file stored in /dev/sda8/etc/ but I must be missing something, this as no effects. Here is my passwd file :

Code: Select all

root:x:0:0:root:/root:/bin/sh
new_root:x:1000:0:new_root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
operator:x:11:0:operator:/var:/bin/sh
sshd:x:22:22:sshd:/dev/null:/bin/false
nobody:x:65534:65534:Nobody:/:/bin/false
anonymous:x:65534:65534:Nobody:/:/bin/false
messagebus:x:101:101::/dev/null:/bin/false
haldaemon:x:102:102::/dev/null:/bin/false
avahi:x:103:103::/dev/null:/bin/false
admin:x:500:100:LaCie Ethernet Disk mini Admin:/home:/bin/false 
and add in the shadow file :

Code: Select all

new_root::12488:0:99999:7:::
or

Code: Select all

new_root:<copy of my admin encrypted password>:12488:0:99999:7:::
For the moment I'm stuck here if someone's got an idea to go further I'll appreciate the effort :geek:

Thanks !
SuperPoney

SuperPoney
Posts: 7
Joined: Mon Jun 01, 2009 11:53 am

Re: LaCie D2 Network

Post by SuperPoney » Wed Jun 03, 2009 5:51 pm

Finally I found a solution to hack the D2 Network and the LaCie's "XX network family".

If a moderator comes here this thread should be move in the "2big Network" sub-section of this forum since the "D2 network" bellongs to this family.

I'll post a detailled howto to hack this NAS (here of course 8-) ).

Post Reply