Root access on the NS2 using a symlink on an USB-stick/disk

Mijzelf
Posts: 6226
Joined: Mon Jun 16, 2008 10:45 am

Root access on the NS2 using a symlink on an USB-stick/disk

Post by Mijzelf » Sun Aug 28, 2011 7:22 pm

When reading around on the web, I stumbled upon this, and guess what? It works.

In short:
Format an USB stick/disk ext2/3, create a symlink on it:

Code: Select all

ln -s / theroot
Plug it in the NS2, and use the AjaXplorer to follow the symlink to the root.
Now you can download /etc/initng/runlevel/default.runlevel, edit it (beware, you'll have to use *nix lineendings, when on Windows, PsPad can do it for you), and upload it again.
Then download /etc/shadow, copy the password of admin (which you know) to root and upload it again. (lineendings!)
Reboot, and you should be able to login using ssh.

Create a keypair, and put the public key in /root/.ssh/authorized_keys, as Lacie likes to reset your root password.

!!!Warning!!! and disclaimer.
If you make mistakes in editing and/or uploading the files, it is possible that you brick the box. These files are crucial for a proper working system.
If you brick your box, it's your fault, and not mine.

Edit: At second thought, a bricked box should be fine after a factory reset.
Edit2: About Lacie resetting the root-password: link.
Edit3: Firmware 2.0.5 is a bit different. The ssh daemon is started on port 2222. More information here.

ltree
Posts: 27
Joined: Tue Jan 18, 2011 7:44 pm

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by ltree » Mon Aug 29, 2011 10:39 pm

Well, this is by far the easiest method I've seen so far. I haven't yet tested it myself but I'll believe you that it works. It's kind of worrying though that the firmware has this many holes in it, although thankfully most of them need the admin password to actually work.

User avatar
cyberdog
Posts: 47
Joined: Tue Aug 24, 2010 9:20 am
Location: NANCY - FRANCE

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by cyberdog » Tue Aug 30, 2011 6:40 am

I tried this last night :|
the usb is made, I see all the content / :D
But my browser on Mac OS 10.7.1 don't want download the shadow's file ?? :(

Mijzelf
Posts: 6226
Joined: Mon Jun 16, 2008 10:45 am

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by Mijzelf » Tue Aug 30, 2011 8:40 am

ltree wrote:It's kind of worrying though that the firmware has this many holes in it
I don't consider this a hole. You'll need physical access to the box (put a prepared USB stick in it) to apply the method. When you've got physical access you can also take the disk out. Or grab the whole unit.
Vulnerabilities over the network, or worse, over the internet, are holes.

@cyberdog: Are you logged in as admin?

User avatar
cyberdog
Posts: 47
Joined: Tue Aug 24, 2010 9:20 am
Location: NANCY - FRANCE

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by cyberdog » Tue Aug 30, 2011 9:40 am

Mijzelf wrote:@cyberdog: Are you logged in as admin?
Yes.
I would be back at home tonight, I try again

@+

User avatar
cyberdog
Posts: 47
Joined: Tue Aug 24, 2010 9:20 am
Location: NANCY - FRANCE

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by cyberdog » Tue Aug 30, 2011 6:37 pm

Download :
my problem is solved with Firefox
Download the file "shadow"
put my password
uploaded
restart the NS2
but the password is not accepted?
SomeOne can help me ?

Lacie NS2 firmware 2.05

Mijzelf
Posts: 6226
Joined: Mon Jun 16, 2008 10:45 am

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by Mijzelf » Tue Aug 30, 2011 6:49 pm

cyberdog wrote:put my password
Which password? It's a salted hash, so you can't just put a password.

My shadow:

Code: Select all

root:$1$akg3X1FP$Y9tPJiNMGbzfVEaDwasZ50:12542:0:99999:7:::
bin:*:12488:0:99999:7:::
daemon:*:12488:0:99999:7:::
sync:*:12488:0:99999:7:::
shutdown:*:12488:0:99999:7:::
halt:*:12488:0:99999:7:::
operator:*:12488:0:99999:7:::
nobody:*:12488:0:99999:7:::
anonymous::12488:0:99999:7:::
messagebus:!:12488:0:99999:7:::
haldaemon:!:12488:0:99999:7:::
avahi:!:12488:0:99999:7:::
admin:$1$vAyQnXfM$q2y3RZBAKVKimcJ64fUMI/:12488:0:99999:7:::
You'll have to copy the part between the first two colons after 'admin' to the corresponding place after root.

User avatar
cyberdog
Posts: 47
Joined: Tue Aug 24, 2010 9:20 am
Location: NANCY - FRANCE

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by cyberdog » Tue Aug 30, 2011 7:29 pm

root:$1$$1RDUuTsVHjre9juUvuICX.:12542:0:99999:7:::
bin:*:12488:0:99999:7:::
daemon:*:12488:0:99999:7:::
sync:*:12488:0:99999:7:::
shutdown:*:12488:0:99999:7:::
halt:*:12488:0:99999:7:::
operator:*:12488:0:99999:7:::
nobody:*:12488:0:99999:7:::
anonymous::12488:0:99999:7:::
messagebus:!:12488:0:99999:7:::
haldaemon:!:12488:0:99999:7:::
avahi:!:12488:0:99999:7:::
admin:$1$LPe2p9r2$DPRdb4xIzejeH8PG96h.S1:12488:0:99999:7:::
gauthier:$1$pg6APmGv$pw2LYkvht9As8XsEVC2zz/:12488:0:99999:7:::
remy:$1$IIFeSgNp$MGcs2O4EHnU3M1xINASpk0:12488:0:99999:7:::
laurent:$1$4DhX3ifk$7Lj7kytOCNTha9Pr0kaft/:12488:0:99999:7:::
this :


admin:$1$LPe2p9r2$DPRdb4xIzejeH8PG96h.S1:12488:0:99999:7:::

Mijzelf
Posts: 6226
Joined: Mon Jun 16, 2008 10:45 am

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by Mijzelf » Tue Aug 30, 2011 8:03 pm

Yes. That should exchange
root:$1$$1RDUuTsVHjre9juUvuICX.:12542:0:99999:7:::

Including the dot at the end.

User avatar
cyberdog
Posts: 47
Joined: Tue Aug 24, 2010 9:20 am
Location: NANCY - FRANCE

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by cyberdog » Tue Aug 30, 2011 8:28 pm

But after reboot, nothing work.

Code: Select all

Last login: Tue Aug 30 22:19:37 on ttys000
You have mail.
I3ATTON:~ laurent$ ssh root@192.168.1.12
root@192.168.1.12's password: 
Permission denied, please try again.

Mijzelf
Posts: 6226
Joined: Mon Jun 16, 2008 10:45 am

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by Mijzelf » Wed Aug 31, 2011 9:41 am

Maybe Lacie disabled root login in your firmware version? Have a look in /etc/ssh/sshd_config. There should be no 'PermitRootLogin no'.

User avatar
cyberdog
Posts: 47
Joined: Tue Aug 24, 2010 9:20 am
Location: NANCY - FRANCE

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by cyberdog » Wed Aug 31, 2011 10:10 am

Thank you for your Time

Code: Select all

Subsystem sftp internal-sftp
Protocol 2
PermitRootLogin yes
DenyGroups nogroup users
Port 2222

Mijzelf
Posts: 6226
Joined: Mon Jun 16, 2008 10:45 am

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by Mijzelf » Wed Aug 31, 2011 10:22 am

You're welcome.

Is that the contents of your /etc/ssh/sshd_config? In that case you should use port 2222 to connect. But obviously there is also an ssh daemon on port 22?

Deiv
Posts: 5
Joined: Wed Aug 24, 2011 5:02 pm

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by Deiv » Wed Aug 31, 2011 10:24 am

Hi guys,

i'm not so sure about this procedure.....
You wrote :

<Format an USB stick/disk ext2/3, create a symlink on it using command "ln -s / theroot" >
----OK

<Plug it in the NS2, and use the AjaXplorer to follow the symlink to the root>
----Why use AjaXplorer to modify a text file if a linux system is needed to create Symlink ? Linux OS is not good for text editing ?

<Now you can download /etc/initng/runlevel/default.runlevel, edit it (beware, you'll have to use *nix lineendings, when on Windows, PsPad can do it for you), and upload it again. Then download /etc/shadow, copy the password of admin (which you know) to root and upload it again. (lineendings!) >
----Why download the file from USB stick and upload it again when can be done directly on the usb stick ?
----INITNG is a "speed-boot project" and i think isn't installed over almost unix system, you need to install and configure the package. If done, default.runlevel file contains custom lines so i think is very difficoult to simply remove the # character from a line......

Sorry for my questions but i would like to better understand this procedure.
Thanks a lot guys and ahave a nice day.
Cheers

Deiv

Mijzelf
Posts: 6226
Joined: Mon Jun 16, 2008 10:45 am

Re: Root access on the NS2 using a symlink on an USB-stick/d

Post by Mijzelf » Wed Aug 31, 2011 10:55 am

Deiv wrote: ----Why use AjaXplorer to modify a text file if a linux system is needed to create Symlink ? Linux OS is not good for text editing ?
Sure. But then you'll have to open the NAS and take the disk out. AjaXplorer is a service which run in the webinterface ('WebBrowser'), and using this you can folow the symlink on the share. This cannot be done using Samba, as it doesn't follow symlinks. Maybe FTP would work, I haven't tested it.
<Now you can download /etc/initng/runlevel/default.runlevel, edit it (beware, you'll have to use *nix lineendings, when on Windows, PsPad can do it for you), and upload it again. Then download /etc/shadow, copy the password of admin (which you know) to root and upload it again. (lineendings!) >
----Why download the file from USB stick and upload it again when can be done directly on the usb stick ?
Nothing exept one symlink is on the USB stick, you're accessing the system partition on the NAS.
----INITNG is a "speed-boot project" and i think isn't installed over almost unix system, you need to install and configure the package. If done, default.runlevel file contains custom lines so i think is very difficoult to simply remove the # character from a line......
initng is the init system used by the NS2. And the contents of default.runlevel is extremely simple:

Code: Select all

initial
dbus
udev
hald
clock
dhcdbd
logrotate
syslogd
klogd
swap
modules
mountfs
mountuserfs
raid
usb
hostname
NetworkManager
http
getty/1
#sshd
cron
unicorn
thumbd

Post Reply