telnet/rsync access to Promise ns4300n NAS
2008-09-21 Filed under: Computers — mike @ 14:42

This works for me. Mike.

http://dansimms.wordpress.com/2008/06/29/breaking-open-the-ns4300n/

Breaking open the NS4300N
Published June 29, 2008 Uncategorized
Tags: NS4300N, Security

You’ll have no doubt have seen the excellent article detailing how to gain root access to the NS4300N.

http://www.bogus.net/~torh/unsorted/index.html

Unfortunately these hacks no longer function on the latest version of the firmware (latest version at time of writing is 01.04.0000.11

There are, however, other ways to gain access to the NS4300N. After an hour or so experimenting I’ve managed to get root access again.

The instructions are below:

1) Configure NFS support on your NS4300N;

2) Install the latest DLNA plugin (downloaded from the Promise Web site);

3) Mount the PLUGINAPP share from another Linux or Unix server. I used the following command on Kubuntu:

mount [IP of NS4300N]:/VOLUME1/PLUGINAPP /tmp/ns4300n

e.g. mount 192.168.0.2:/VOLUME/PLUGINAPP /tmp/ns4300n

4) edit the following file:

/tmp/ns4300n/DLNA/.server/dlna

add the following lines

system qq(sudo cp /etc/passwd /tmp/passwd);
system qq(sudo sed -e ’s/engsh/sh/g’ /tmp/passwd > /tmp/passwd.wks);
system qq(sudo cp /tmp/passwd.wks /etc/passwd);

after

system(”/usr/sbin/reflashhost >/dev/null 2>/dev/null”);

It should look something like this:

#!/usr/bin/perl

$app_path = $ENV{’APP_PATH’};
#print “APP_PATH = $app_path\n”;

$action = $ARGV[0];

if ( $action eq “start”) {
system(”/usr/sbin/reflashhost >/dev/null 2>/dev/null”);

system qq(sudo cp /etc/passwd /tmp/passwd);
system qq(sudo sed -e ’s/engsh/sh/g’ /tmp/passwd > /tmp/passwd.wks);
system qq(sudo cp /tmp/passwd.wks /etc/passwd);

system(”$app_path/.server/chkdefdir >/dev/null 2>/dev/null”);

open(RUN,”/bin/ps -e |”);
while(){

..

4.5) I go ahead and set the uid to 0 to gain full root privs.

5) Start your DLNA server

6) Now try and telnet to your device on port 2380

e.g. telnet 192.168.0.2 2380

login: engmode

password: hawk201

Hey presto you have full root access.

The hack simply replaces the special engineering mode shell with the standard shell giving you full access to the unit.

Have fun and let me know how you get on with this hack

A quick look around yields the rsyncd.conf (created when you enable to NAS as a backup server) revealing the rsync uid/password needed to rsync directly to/from the NAS via the rsync port 873 - Mike

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

You must be logged in to post a comment.

Powered by WordPress