Loading ...
Sorry, an error occurred while loading the content.

3917Re: Howto gain root access to the LInkstation

Expand Messages
  • cs_h1
    Aug 18 10:28 AM
    • 0 Attachment
      Media server up and running - just got to sort shoutcast out

      --- In LinkStation_General@yahoogroups.com, "cs_h1" <cs_h1@y...>
      wrote:
      > Done all this for LSII - how do you actually start the music server?
      >
      >
      >
      > --- In LinkStation_General@yahoogroups.com, "Thom Mason"
      > <t.e.mason@c...> wrote:
      > > dtaubert on the Roku Forums figured out a backdoor into the
      > > Linkstation (see http://www.rokulabs.com/forums/viewtopic.php?
      > t=186):
      > >
      > > The 1.44 firmware update has telnet access enabled. You can
      login
      > > using a user account setup through the Admin web interface.
      > > dtauberts poking around revealed:
      > >
      > > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME
      > > COMMAND
      > > root 373 0.0 0.8 2132 536 ? SN Sep16
      > > 0:01 /usr/sbin/thttpd -C /etc/thttpd.conf
      > >
      > > $ cat /etc/thttpd.conf
      > > dir=/www
      > > user=root
      > > logfile=/var/log/thttpd.log
      > > pidfile=/var/run/thttpd.pid
      > > port=80
      > > charset=
      > > cgipat=/cgi-bin*/*
      > >
      > > $ ls -ald /www
      > > drwxrwxrwx 9 root root 1024 Sep 17 15:40 /www
      > >
      > > In other words:
      > >
      > > 1) The http server is run as root.
      > > 2) The cgipat contains a wildcard in the directory name.
      > > 3) The /www directory is writable by all.
      > >
      > > mkdir /www/cgi-bin3 and plop a script in (it will run as root).
      > You
      > > can either make a scipt to change access for /etc/passwd:
      > >
      > > #! /bin/sh
      > > chmod 666 /etc/passwd
      > >
      > > and then paste it into you browser:
      > >
      > > http://buffalo/cgi-bin3/accesspass.sh
      > >
      > > making sure the script is set as executable or make a script
      > copying
      > > a modified passwd file to /etc/passwd.
      > >
      > > You can then change the root password to a known encrypted one
      such
      > > as the one for the user account you used to gain telnet access.
      > > vi works although you may need to set TERM to vt100 since there
      > > doesn't appear to be a termcap entry for xterm (depends on you
      > > telnet client emulation).
      > >
      > > Thom
    • Show all 6 messages in this topic