버팔로 나스의 경우 root 비번을 공개하지 않아, 제품이 나올경우 유저들이 해킹이나 커스텀 펌웨어를 제작하는 등의 방법을 이용하여 root를 획득하고 있습니다.
LS-WXL의 경우도 몇가지 방법이 나와있는데요. 가장 쉬운방법이라고 생각되는 것이 마침 네이버 넷하드 카페에 올라왔습니다.
(http://cafe.naver.com/networkhard/7061)
약간의 삽질을 한 결과 만족스럽게 ssh를 이용하여 root로 접근할수 있었는데요.
이 방법을 소개한 원문은 글 하단에 소개해놓았습니다.
간단히 소개하자면.
1. LS-WXL의 웹서버를 활성화 한다.
기본적인 웹서버는 아마 81번 포트로 설정이 되어있을 것입니다.
2. 웹서버의 활성화시 설정한 기본 디렉토리 내의 htdocs에 phpshell을 받아서 압축해제 후 복사한다.
http://phpshell.sourceforge.net/ 에서 phpshell을 받을수 있습니다.
또한, config.php에서 아래와 같은 형식으로 아이디와 비번을 설정해줘야 합니다.
[users]
root = 123456
root = 123456
3. 웹브라우저를 통하여 웹서버의 phpshell에 접속한다.
http://나스주소/phpshell/phpshell.php 에 접속한 후 위 2.에서 설정한 아이디와 비번으로 접속을 합니다.
4. phpshell에서 /etc/pam.d/sshd 파일을 접근하게 설정한다.
phpshell에서는 기본적으로 웹서버의 문서가 들어있는 htdocs 디렉토리를 벗어나지 못합니다.
그러나 shell명령어를 통해서 약간의 기교(?)를 부려 sshd에 접근을 할수 있습니다.
ln -s /etc/pam.d/sshd /raid/www/htdocs/sshd
위와 같이 쓰고 Execute Command를 실행합니다.
그러면 웹 문서가 들어있는 곳인 htdocs로 sshd를 심볼링 링크를 걸어주게 됩니다.
이렇게 해서 sshd를 심볼링 링크를 통해서 접근할수 있습니다.
5. sshd를 로컬 공유로 접근하여 에디터를 이용하여 다음과 같이 수정한다.
<초기 sshd의 파일 내용>
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
#auth required pam_smb_auth.so debug
#auth required pam_unix.so nullok
auth required pam_unix.so
#auth required pam_winbind.so debug
account required pam_unix.so
#account required pam_winbind.so
session required pam_unix.so
#auth required pam_smb_auth.so debug
#auth required pam_unix.so nullok
auth required pam_unix.so
#auth required pam_winbind.so debug
account required pam_unix.so
#account required pam_winbind.so
session required pam_unix.so
<수정된 sshd의 파일 내용>
#auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
#auth required pam_smb_auth.so debug
#auth required pam_unix.so nullok
#auth required pam_unix.so
#auth required pam_winbind.so debug
auth required pam_permit.so
account required pam_unix.so
#account required pam_winbind.so
session required pam_unix.so
#auth required pam_smb_auth.so debug
#auth required pam_unix.so nullok
#auth required pam_unix.so
#auth required pam_winbind.so debug
auth required pam_permit.so
account required pam_unix.so
#account required pam_winbind.so
session required pam_unix.so
여기서 주의 할점은 unix text파일이라 줄바꿈을 조심해야 합니다.
메모장에서 보면 줄바꿈 코드가 보일겁니다.
6. ssh 지원 client를 통하여 접속을 합니다.
putty나 winscp, secureCRT 등을 통하여 ssh로 접속을합니다.
아이디에서 root를 적으면 비번을 물어보지 않고 자동 root shell로 접속하게 됩니다.
이 설정은 nas를 리붓하게 되면 다시 되돌아간다고 합니다.
따라서 원문 글에서는 SSH key를 root 홈에서 설정하면 해결할수 있다고 소개하고 있습니다.
근데 굳이 매번 root를 접속할 필요가 없고, 한번 켜놓으면 리붓할 일이 많지 않다보니 꼭 설정할 필요는 없네요. ^^
================
원문 글 : http://forum.buffalo.nas-central.org/viewtopic.php?f=37&t=21497
Hi all,
after playing around for about one week with my new LinkStation DUO I finally succeeded to gain full control!
The best about that: no modified FW, no need to use acp_commander (it doesn't work anyway).
Well, I'm new to this forum and even kind of newbie to LinkStation hacking.
I got a lot of information from the forum - with limited use for the new LinkStation DUO - so I want to contribute with my knowledge so far.
My LinkStation DUO is running FW version 1.22, that is the latest version for this model available from the Buffalo support site.
I tried to gain full (root) access with acp_commander, but it did not work with my device; I assume that this security hole was closed.
I looked through all configuration options, realized that SSH service is active during normal operation, but was not able to login:
- login as root does not work due to not knowing the password
- login as other user was denied by simply closing the connection
The trick to get it work is based on the possibility to configure a web server on the device.
- Configure a share 'www'
- Configure a web server on port 81 using that share
It is possible to run PHP scripts with that web server.
It comes configure by default with an 'index.php' that shows the phpinfo()!
Next I installed the PHP Shell (-> google) and was able to look through the filesystem with a SHELL like interface.
Then I found that the file /etc/pam.d/sshd was installed world writable and voila! ... the device was mine!
Next I installed a simple PHP file manager that enabled me to edit files via the web browser.
I changed the file /etc/pam.d/sshd as follows:
- comment out all lines that begin with 'auth'
- add the line: auth required pam_permit.so
Now I was able to login as root with no password: ssh root@linkstation
But be careful: the file /etc/pam.d/sshd gets re-created each time the system starts up.
Best way to get permanent root access is to install your SSH public key in the 'authorized_keys' file.
# mkdir /root/.ssh
# chmod 700 /root/.ssh
... install your SSH public key in /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys
after playing around for about one week with my new LinkStation DUO I finally succeeded to gain full control!
The best about that: no modified FW, no need to use acp_commander (it doesn't work anyway).
Well, I'm new to this forum and even kind of newbie to LinkStation hacking.
I got a lot of information from the forum - with limited use for the new LinkStation DUO - so I want to contribute with my knowledge so far.
My LinkStation DUO is running FW version 1.22, that is the latest version for this model available from the Buffalo support site.
I tried to gain full (root) access with acp_commander, but it did not work with my device; I assume that this security hole was closed.
I looked through all configuration options, realized that SSH service is active during normal operation, but was not able to login:
- login as root does not work due to not knowing the password
- login as other user was denied by simply closing the connection
The trick to get it work is based on the possibility to configure a web server on the device.
- Configure a share 'www'
- Configure a web server on port 81 using that share
It is possible to run PHP scripts with that web server.
It comes configure by default with an 'index.php' that shows the phpinfo()!
Next I installed the PHP Shell (-> google) and was able to look through the filesystem with a SHELL like interface.
Then I found that the file /etc/pam.d/sshd was installed world writable and voila! ... the device was mine!
Next I installed a simple PHP file manager that enabled me to edit files via the web browser.
I changed the file /etc/pam.d/sshd as follows:
- comment out all lines that begin with 'auth'
- add the line: auth required pam_permit.so
Now I was able to login as root with no password: ssh root@linkstation
But be careful: the file /etc/pam.d/sshd gets re-created each time the system starts up.
Best way to get permanent root access is to install your SSH public key in the 'authorized_keys' file.
# mkdir /root/.ssh
# chmod 700 /root/.ssh
... install your SSH public key in /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys
'IT & Smart Phone > IT...' 카테고리의 다른 글
| BUFFALO NAS 링크스테이션 DUO LS-WXL/E-AP 펌웨어(Firmware) 1.26 으로 업데이트.. (1) | 2010.04.28 |
|---|---|
| 빠이네 집 홈네트워크... ^^ (1) | 2010.04.17 |
| BUFFALO 링크스테이션 DUO LS-WXL/E-AP의 phpinfo(); 결과 (0) | 2010.04.08 |
| BUFFALO 링크스테이션 DUO LS-WXL/E-AP 간단 사용기. (4) | 2010.04.08 |
| 샌디스크 크루저 컨투어 익스트림 16기가... (0) | 2010.03.16 |
