Dropbear without disassembling (Networkspace)

From NAS-Central Lacie Wiki
Revision as of 22:50, 13 December 2010 by Mijzelf (Talk | contribs) (Created page with "=== Howto install === Download dropbear.zip [http://downloads.lacie.nas-central.org/Users/Mijzelf/Networkspace/ here], extract it to openshare, open 'openme.html' in a browser, a…")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Howto install

Download dropbear.zip here, extract it to openshare, open 'openme.html' in a browser, and follow the instructions.

Dropbear will be installed and started, and the root password will be reset to 'root'.

How it works

It uses the trick described in this thread, I only added some automation.


It is possible to copy any subdirectory to any other place using http://networkspace/cgi-bin/admin/backup. Just browse to http://networkspace/cgi-bin/admin/backup?update=true&select1=targetdir&select2=sourcedir. In this case it will generate a new directory like this: targetdir/<basename-of-sourcedir>-2010121315121292277769 The addendum looks like a timestamp, but on closer look it seems something different.


The new directory name is created in /usr/bin/edmini_backup.sh:

DATE=`date +%Y%m%d%H%m%s`

At first sight this look as a neat timestamp, but when you look at 'man date', you will find something else:

%Y Year, 4 digits
%m Month (01..12)
%d Day (01..31)
%H Hour (00..23)
%m Month (again) (01..12)
%s seconds since 1970-01-01 00:00:00 UTC

So while I would have choosen another string, it's perfectly predictable, when you know the time on the server when the backup started.

The javascript in the html page

The script first loads http://networkspace.lan/cgi-bin/admin/config in an iframe, and as soon as it's loaded it will start the backup action by loading the backup page in a hidden iframe. Then the user is asked to copy the timestamp from the config page to an edit box, and the script will try 30 consecutive seconds, starting at the given timestamp, to guess the right url of the script copied from openshare.

The to_be_copied/to_be_executed script on openshare

This script will generate a page with a green background, so you can see a green flash when it's executed. Then it will extract dropbear.tgz to /, start dropbear, and reset the root password to 'root'

When it fails

When the embedded javascript fails to find the right url, it either couldn't parse the given timestamp (I tried it on Firefox and Opera), or there is something wrong with the timezone. I'm not sure if the NAS handles daylight saving time. You could try to put both your computer and the NAS on UTC, (Restart the browser after that)