Sunday, May 29, 2011

Hacking the Promise SmartStor NS4600

I had success exploiting the MLDonkey hack to get telnet access working for the admin account, but had to repeat the commands every time I wanted telnet access which became a pain (especially since I don't leave BitTorrent running)

I spent a little time digging into how this box works and added some notes below, but for those who just want to enable telnet for good, skip down to 'The Script' section.


Disclaimer: if you change things on your NAS you have the very real chance of turning it into a bookend.  This will definitely void your warranty from Promise, so use at your own risk!  


The Details
This box had three flash memory devices:

/dev/mtdblock4
Is a flash device which contains a file named usr_sqfs.  This file contains a squashfs loopback filesystem.  This file gets mounted read-only at /usr and contains the /usr/sbin/chkhttpd shell script which rewrites /etc/telnet.user.  This script get run every minute as a cron job and is why the telnet.user keeps getting disabled.

/dev/mtdblock6
Is also a flash device which contains a file named app_sqfs.  This file gets mounted read-only at /promise.  This directory looks to contain mostly the webapp for system configuration and other apps -- not real interesting for the goal of permanently enabling telnet.

/dev/mtdblock5  
Is yet another flash device that gets mounted directly to /dev and is read-write.  Files from here overwrite files in /etc and /usr on boot. This is definitely interesting.

The Idea
Since we can't change /usr/sbin/chkhttpd directly, the plan is to utilize cron to help us undo the telnet restrictions.  We do this by placing a script somewhere on the filesystem and modifying /data/usr/crontab (which is on the writable flash drive) to run our script right after the /usr/sbin/chkhttp script is run.

The Script 
This creates an executable script to enable telnet access to the admin user.  Cut & paste this script into your telnet terminal. This will add the admin_telnet.sh script to your filesystem. Then add the following line to /data/etc/crontab:

* * * * *       root    /VOLUME1/homes/admin/etc/cron.d/admin_telnet.sh >/dev/null 2>/dev/null

After the chkhttpd line.  This will ensure the script when needed.  To test, reboot your NAS and verify that telnet is still enabled. 

Good luck!

2 comments:

Expectation said...

Since we can replace the /etc/crontab of ns4600, it might be a good idea to just modify the crontab to run our own chkhttp.

Such as:
1. cp /usr/sbin/chkhttp /VOLUME1/homes/admin/chkhttp
2. remove the /etc/telnet.user statements in /VOLUME1/homes/admin/chkhttp
------
#open(OUT,">/etc/telnet.user");
#print OUT "root\n";
#print OUT "engmode\n";
#close(OUT);
------
3. run our chkhttp, instead of the original, in crontab
#* * * * * root /usr/sbin/chkhttpd >/dev/null 2>/dev/null
* * * * * root /VOLUME1/homes/admin/chkhttpd >/dev/null 2>/dev/null

It's done!

Anonymous said...

I found a more straight forward way to do this.

1. Edit /etc/profile to remove the lines that check that user is in the telnet.user file.

2. Copy /etc/profile to /data/etc so that it will be restored on bootup.

3. Edit /etc/sudoers to add whatever users you like to the list.

4. Copy /etc/sudoers to /data/etc so that it will be restored on bootup.

Now, you can leave the chkhttpd script alone. It'll keep forcing the telnet.user file, but nothing looks at that anymore.

Of course, to do all that, you need root access. Probably the quickest way is through the cmd line at http://ns4600_ip_addr:4080. Best to copy the 2 files to the PUBLIC share and edit them externally. Then copy them back.