Difference between revisions of "Category:2big Network"

Revision as of 19:18, 11 January 2012

Steppenwolf's Hacking HOWTO

Steppenwolf has an excellent HOWTO on his blog. It is in Italian unfortunately but Google Translate does a great job.

What will follow now is a copy of his Google Translated blog post to preserve it should it ever be taken offline and to provide the NAS-Central users with as much info as possible.

This definately needs to be reviewed and gramatically corrected!

General Information

The goal of this post is to add a shell ssh daemon ntpd to your nas, but before doing so it is good to understand a little machine with which we deal. The LaCie 2big Network nas taken as reference and on which was performed this procedure has the official firmware, distributed by LaCie , updated to version 2.2.3.

 # cat /proc/cpuinfo
 
Processor: ARM926EJ-S rev 0 (v5l)
BogoMIPS: 266.24
Features: swp half thumb fastmult EDSP
CPU Implementer: 0x41
CPU architecture: 5TEJ
CPU variant: 0x0
CPU part: 0x926
CPU revision: 0
Cache type: write-back
Cache clean: CP15 c7 ops
Cache lockdown: format C
Cache format: Harvard
The size: 32768
I assoc: 1
The line length: 32
The sets: 1024
D size: 32768
D assoc: 1
D line length: 32
D sets: 1024

Hardware: Feroceon
Revision: 0000
Serial: 0000000000000000 

 # cat /proc/version

Linux version 2.6.22.7 (root @ grp-dash) (gcc version 4.2.1) # 1 Fri 9 April 2009 16:07:45 EDT 

 # free
       total  used  free shared buffers
Mem:   61952 60184  1768   7384 0
Swap:    128   376    60    184 0 128 376
Total: 190328 130144 

 # df-h

Filesystem Size Used Available Use% Mounted on
rootfs 648.4M 20.2M 595.3M 3% /
648.4M 20.2M 595.3M 3% udev / dev
/ Dev/md0 7.5M 5.9m 1.2M 83% / oldroot
udev 10.0M 0 10.0M 0% / oldroot / dev
udev 10.0M 0 10.0M 0% / oldroot / dev
ninth 30.3M 30.3M 0% 0 / oldroot / dev / shm
/ Dev/md1 167.0M 111.3M 47.1M 70% / oldroot / var / original
/ Dev/md2 648.4M 20.2M 595.3M 3% / oldroot / snapshots
unionfs 648.4M 20.2M 595.3M 3% /
/ 1.2M 930.4G 930.4G dev/md4 0% / home 

 # cat /proc/partitions

major minor # blocks name

8 0 976762584 sda
8 1 1 sda1
8 2 975755970 sda2
8 5 128457 sda5
Sda6 8 6 8001
Sda7 8 7 8001
8 8 176683 sda8
8 9 674698 sda9
8 10 8001 sda10
8 16 976762584 sdb
8 17 1 sdb1
8 18 975755970 sdb2
8 21 128457 sdb5
8 22 8001 sdb6
8 23 8001 sdb7
8 24 176683 sdb8
8 25 674698 sdb9
8 26 8001 sdb10
31 0512 mtdblock0
7936 9 0 md0
9 1 176576 md1
9 2 674624 md2
9 3 128384 md3
9 4 975755904 MD4 

 # cat /proc/mtd

dev: size erasesize name
mtd0: 00080000 00010000 "cfi_flash_0" 

In short, it is a Linux operating system with a very dated (sic) kernel compiled for ARM processor architecture, 400mhz cpu, 64mb of ram (the new models have 128 MB of RAM) and bootloader uboot. From the limited information obtained from the official site seems to have been used to build the system scratcbox and starting services and daemons used initng instead of init.d The problems that arise are many: the retrieval of software already compiled for the system (unless you jump headlong into cross-compiling) compatible with the versions used by the library and the creation of nas startup script to initng. The scripts for initng found on the network must be modified slightly to make them work on the system, given that developers have not complied fully with the specifications initng to include all the *. script in the folder /etc/initng/ without performing the division in subfolders (daemon for demons, net for network services, etc..)

Hacking

Disclaimer: I do not assume any responsibility if, following the changes made, your system stops working properly. I remind you also that any software or hardware changes to the system will void the warranty by the manufacturer.

Access to the system is crucial to add to our nas a bash script that executes commands at will (webshell) or, preferably, an ad hoc script to start the telnet service and have a root console remote. There are several ways to "pierce" your nas, in fact, depending on the services started on the machine the safety of this object is far down the drain. A very simple way to access the system without physically removing disks is to create a new share with a particular path. (See below) You will have access to the entire system with administrator privileges since the webserver has the nas as root.

2Big Network Web Browser Hacked

The counterpart of this hack is that the machine is rebooted, the share created by the system is changed (security mechanism?) And redirected into your root share, forcing them to have to re-apply the 'patch' whenever you feel the need to access the your Linux system. Even the removal of the new share is to be performed with extreme care. My suggestion is to remove this share once it has nas were uploaded on the telnet daemon and its startup files (see below).

Hacking through the creation of a new share

Create a new share on your NAS called "Hack". The path of the share is not important what is important is that you enable at least sharing http. Save the xml configuration of your NAS disk (System-> Maintenance-> Save Configuration) Make a backup copy of the file you just saved (Fatelo! you will need it later to put things in order). Edit the file downloaded xml configuration changing the path of sharing "Hack" as shown:

  edconf.xml

Keep in mind the lines of the code of your xml files can be different than shown above, in relation to the number of shares of your car, by users and groups.

Save your changes and upload the new configuration on the NAS (System-> Maintenance-> Download the configuration) Use your browser and access the administration page of nas and click Browse to navigate to the new share on the web.

The magic is performed by line ../../../../ which requires the system to create a new share from the root. If you try to unshare "hacks" do harm to your system, it also will remove together with shared files in it (so the operating system of the NAS). A painless way to make the removal of the load sharing is the backup configuration previously done nas (edconf.xml) and only after unshare 'hack' normally through the web interface.

Once you have access to the filesystem, for more with root rights (!), You can upload all the files you want.

Binaries compiled for ARM architecture, and configuration files for pam and initng

From here on, you will need this file:

>> LaCie_2Big_Network_ [TELNET] [NTP] [SSH] [CUPS]. zip (6.79 Mb)

containing all the binaries and libraries, compiled for the ARM architecture, you need to install on your nas demons Telnet, NTP, OpenSSH and Cups. The archive contains the following files:

• cups-1.3.8-r1.tbz2 (1.89 Mb), containing all files of the print service. is included in the archive library also libpaper ( libpaper-1.1.23.tbz2 ) required by the cups and not found in nas.
• cups-1.3.8-r1_(driver).tbz2 (3.74Mb), containing all ppd in the deployment of ubuntu 9.10. This file, of course, is not on the website where I recovered the compiled binaries for the nas.
• cups-1.3.8-r1_(language).tbz2 (419KB), containing the translation in all major languages, including Italian, html pages cups. This file is not on the website where I recovered the compiled binaries for the nas.
• ntp-4.2.4_p4.tbz2 (247KB), containing the binaries and configuration files for the NTP daemon
• openssh-4.7_p1-r6.tbz2 (490Kb), containing the binaries and configuration files for the ssh daemon. The archive also contains the libraries tcp-wrappers ( tcp-wrappers-7.6-r8.tbz2 ) required by the daemon is not present in nas.
• usbutils-0.73.tbz2 (86.2 Mb). This file is not necessary to install nas it is required to run cups, however, can help by installing the executable lsusb .
• utelnetd.tbz2 (5.7Kb), containing the demon utelnetd and a file to run (see next paragraph for more info)

The original files I have recovered from the site:

where there are many pre-compiled packages for the buffalo nas. Except that these packages are designed for a system that uses no inet.de initng, so I had to create my hand the scrip to start sshd, ntpd and cups (respectively /etc/initng/sshd.i , /etc/initng/ntpd.i and /etc/initng/cups.i ). I can assure you that it was not a pretty sight: the documentation is somewhat lacking and on the official forum of the project initng is overwhelmed by spam. (How I love spammers : Evil: )

I wanted to leave separate packages, avoiding to make a single archive, so that you have the greatest choice of what to install. From the files I removed the man page and docs.

Add telnet to NAS

The archive utelnetd.tbz2 contains two files, the telnet daemon and a file to launch it and configure the bash on your system. Copy the two files in the folder /www/cgi-bin/public/ previously created through the sharing. Here is the contents of the file telnet.cgi:

 # / Bin / sh
echo "Content-type: text / plain"
echo ""

# Settings for root bash shell
HOME = '/ root'
PATH = '/ usr / local / bin: / bin: / sbin: / usr / bin: / usr / sbin:.:'
TERM = linux

PS1 = '\ u @ \ h: \ w #'
PS2 = '>'
PS3 = '>'
PS4 = '+'
export PS1 PS2 PS3 PS4 PATH HOME TERM

Run # telnet daemon
utelnetd echo-l / bin / bash
utelnetd eval-l / bin / bash 

You can launch your telnet daemon from a web browser at:

 http://<your.nas.ip>/cgi-bin/public/telnet.cgi 

If the page is white and not worry infinite load, run telnet client can also list your address of nas and enjoy your root console without login. (Hooray safety!) Once you have a console at all the effects you can even think about making a step forward with installing openssh security.

Installing OpenSSH

Copy the file openssh-4.7_p1-r6[modificato].tbz2 in your shared folder on the NAS. From the console, telnet performed:

# Cd / home / share / nome_cartella_della_vostra_condivisione
# Tar openssh-4.7_p1-xvjf r6.tbz2-C /
# Rm openssh-4.7_p1-r6.tbz2
# Cd / etc / initng / runlevels /
# Echo sshd>> default.runlevel
# Touch / var / log / lastlog 

At first startup after installation of ssh nas will, for once, the slower, the cause is the automatic creation of files:

ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_key
ssh_host_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub 

required for the operation of the ssh daemon itself (folder /etc/ssh/ ).

Here is the configuration file ( sshd.i ), included in the archive for initng for the sshd daemon:

#! / Sbin / iType

# NAME: OpenSSH
# DESCRIPTION: The standard Linux SSH servers
# WWW: http://www.openssh.com/

service sshd / {generate_keys
  env KEYGEN = / usr / bin / ssh-keygen;
  RSA1_KEY env = / etc / ssh / ssh_host_key;
  RSA_KEY env = / etc / ssh / ssh_host_rsa_key;
  DSA_KEY env = / etc / ssh / ssh_host_dsa_key;
  script start = {
    [!  -S $ {RSA1_KEY}] & & \
      {} $ KEYGEN-q-t-f $ {rsa1 RSA1_KEY}-C-N2> & 1
      if [!  -S $ {RSA_KEY}], then
        {} $ KEYGEN-q-t rsa-f $ {} RSA_KEY-C-N2> & 1
          chmod 600 $ {} RSA_KEY
          chmod 644 $ {} RSA_KEY. pubs
      fi
      if [!  -S $ {DSA_KEY}], then
        {} $ KEYGEN-q-t dsa-f $ {} DSA_KEY-C-N2> & 1
          chmod 600 $ {} DSA_KEY
          chmod 644 $ {} DSA_KEY. pubs
      fi
   }
}

{sshd daemon
  need bootmisc = virtual / net mountfs;
  pid_file = / var / run / sshd.pid;
  = need sshd / generate_keys;
  exec daemon = / usr / sbin / sshd-D;
  daemon_stops_badly;
  respawn;
} 

Another problem is the bang, even here, the file listed in the original does not work and I had to edit it by hand. Here's the new content:

#% PAM-1.0

auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so 

Modify it to your discretion (file /etc/pam.d/sshd ).

Persistence of user privileges

The problems do not end there, however. At each restart of the machine the file /etc/passwd and /etc/shadow is overwritten. In particular, each new user created through the web interface of the NAS does not have the right to log into the remote console nas. Ex:

admin: x: 500:100:: / home: / bin / false 

The /bin/false is our problem! To remedy the situation I created a service for initng called personal, which allows you to restore the privileges of an account:

#!/sbin/itype
#
# Change the line user = "user" instead of inserting a 'user' user name you created

{personal service
  need edconfd = / ready;
  last;
  script start = {
    user = "user"
    PASSWD = "$ user: x: 0:0:: / root: / bin / bash"
 
    if ["x` cat / etc / passwd | grep $ user `" == "x"]; then
      echo $ PASSWD>> / etc / passwd
      echo "Insert user $ user done"> & 2
    else
      LINE = "` cat / etc / passwd | grep $ user `"
      if ["$ LINE"! = "$ PASSWD"]; then
        sed-i "s # $ {# LINE} $ {PASSWD} # g" / etc / passwd
        echo "User $ user restored"> & 2
      fi
    fi
    exit 0
  };
} 

It is assumed that the user has been previously created using the web interface of nas.

The only change required is to change the string user="utente" , instead of entering the user name of the user you created. The script involves changing the privileges of the user (which will become an alter ego of the root) and the ability to remotely log into the ssh shell. The file is not present in any archive, but you can download it here:

• personal.i (first version)
• personal2.i (version for savvy)

To start automatically at boot script to copy the file nas personal.i in the folder /etc/initng/ and run:

 # cd /etc/initng/runlevels/
 # echo personal >> default.runlevel 

Once the script has been added you can finally get rid of your telnet daemon and its startup files from the folder /www/cgi-bin/public/ . For good luck I suggest you reboot the machine and make sure everything works as you wait for us to remove the first two rows.

Problems with passwd and up and customizing of the bash promtp

When developers have completed the system of LaCie have left out, deliberately I think, something ... Login as root and run the nas (remember telnet access you have is the root):

 # Vi / etc / busybox.conf 

Put these lines, save the file and exit the editor

 [SUID]
passwd = ssx 0.0
su = ssx root.0 

From the console, always with the root account, run these commands:

 # Chown 0.0 / etc / busybox.conf
# Chmod 600 / etc / busybox.conf
# Chown 0.0 / bin / busybox
# Chmod 4755 / bin / busybox 

The problems of and passwd are over.

If you want the extended prompt of bash I recommend editing the file /etc/profile.bash change the line:

 PS1 = '[\ u @ \ h \ W] \ $' 

in

 PS1 = '[\ u @ \ h \ w] \ $' 

Installing NTP

Copy the file ntp-4.2.4_p4.tbz2 (247KB) in your shared folder on the NAS. From the console, with the active root privileges, run:

 # Cd / home / share / nome_cartella_della_vostra_condivisione
# Tar-xvjf 4.2.4_p4.tbz2 ntp-C /
# Rm-r ntp-4.2.4_p4.tbz2
# Cd / etc / initng / runlevels /
Ntpd # echo>> default.runlevel 

This here is the configuration file, included in the archive for initng for the ntpd daemon:

 #! / Sbin / iType

{ntpd daemon

NTPD_PID env = / var / run / ntpd.pid; need bootmisc = virtual / net; require_network; exec daemon = / usr / sbin / ntpd-c / etc / ntp.conf-p $ {} NTPD_PID; forks; pid_file = $ {} NTPD_PID; respawn;

} 

Do not forget to properly configure your time zone. You can do it from the web page configuration "system" of your nas. Finally reboot the NAS.

Installing CUPS (print server)

Copy the file cups-1.3.8-r1.tbz2 (1.89Mb) in your shared folder on the NAS.

From the console, with the active root privileges, run:

 # Cd / home / share / nome_cartella_della_vostra_condivisione
# Tar-cups-1.3.8-xvjf r1.tbz2-C /
# Rm-r cups-1.3.8-r1.tbz2
# Cd / etc / initng / runlevels /
Cupsd # echo>> default.runlevel 

Open the web interface of the NAS and click Groups and then add, and create a new group named "lpadmin" group and add the user that you created earlier to access the NAS through ssh.

 # Vi / etc / sysconfig / modules 

Add a line usblp , as shown and saved.

File /etc/sysconfig/modules

The last step requires the system to load automatically when the module that supports printing to USB port. Remember that the commands for editing a file with the vi editor is the "i" to insert new text, and "ESC" + ": wq" to save and exit.

Here is the configuration file, including archive, to automatically start the daemon via cups initng:

 #! / Sbin / iType

# NAME: CUPS
# DESCRIPTION: The Common Unix Printing System
# WWW: http://www.cups.org

{daemon cupsd

= bootmisc need dbus virtual / net avahi; require_network; exec daemon = / usr / sbin / cupsd-F-f / etc / cups / cupsd.conf;

} 

You must also edit the file /etc/cups/cupsd.conf to allow remote administration of the cups, or inactive. To help you carry my configuration file . For further help on how to configure the cups I refer you to the official website www.cups.org .

Even the cups I had to edit the file by hand pam. Here's the new content:

 #% PAM-1.0

auth required pam_unix.so
account required pam_unix.so 

Modify it to your discretion (file /etc/pam.d/cups ).

Once rebooted, the cups will be running and accessible at the door of your nas 631:

 https://indirizzo_nas:631 

The files cups-1.3.8-r1_(driver).tbz2 and cups-1.3.8-r1_(launguage).tbz2 , are optional and contain the drivers and the translation of the web, install them or not is your choice. You can also install only the Italian language from the archive by removing cups-1.3.8-r1_(launguage).tbz2 the language folders you do not want, the same applies to the file with the drivers.

To print in raw form (pre-formatted output) must uncomment the following line from the file /etc/cups/mime.convs :

 application / octet-stream application / vnd.cups-raw 0 - 

Make sure also not commented the following line of the file /etc/cups/mime.types :

 application / octet-stream 

In linux the printer will be found at (watch at times there is no need to specify the port number):

 ipp: / / indirizzo_nas: 631/printers/nome_stampante 

Ex:

 ipp: / / 192.168.1.100:631 / printers/ML-3050 

In Windows XP click on "Add Printer" and to add a new network printer and select "printer on the Internet or on your home or business" and use the URL:

 http://indirizzo_nas:631/printers/nome_stampante 

Select, finally, the driver for your printer. A small clarification, the samba of NAS has not been compiled with support for the cups. ( libcups.so.2 )

Restoration

You can restore the previous state of the NAS file system changes by updating the firmware, even with the same version installed on the NAS, in my case 2.2.3, using the utility from LaCie same provision. However you can not do this if the NAS is no longer visible on the network, because the utility does not perform the upgrade process if you do not see the above nas.

Links

   uboot
   scratcbox
   buildroot
   www.initng.org , preferably see http://gitorious.org/initng/ .
   Lacie NAS-Central
   General NAS-Central Forums

   (Binaries compiled for ARM)
   LaCie (support page)
   LaCie LPG
   www.cups.org , Common UNIX Printing System. 

Speculations

A very interesting idea that came to mind is to change the raid of nas. In particular, use external hard drives, usb docking ports, as part of the raid using raid 5, or add an external HD to use as spares in case of failure. I have not done any testing on this, mainly for lack of hd, but if someone had the same idea and my feeling is there let me know something. :-)

Upgrading the kernel (?!?)

Thanks

I thank the members of the forum "General NAS-Central Forums", which with their helpful post allowed the writing of this article and especially to pierce my nas. :-)

Reviews

1. http://www.smallnetbuilder.com/content/view/30379/75/

Links

1. http://www.linuxdevices.com/news/NS2898756158.html
2. http://www.steppen-wolf.eu/blog/2009/11/18/lacie-2big-network-hack-telnet-openssh-ntpd-cups-and-more

Internal Images