Loading ...
Sorry, an error occurred while loading the content.

Howto gain root access to the LInkstation

Expand Messages
  • Thom Mason
    dtaubert on the Roku Forums figured out a backdoor into the Linkstation (see http://www.rokulabs.com/forums/viewtopic.php?t=186): The 1.44 firmware update has
    Message 1 of 6 , Sep 21 11:26 AM
    • 0 Attachment
      dtaubert on the Roku Forums figured out a backdoor into the
      Linkstation (see http://www.rokulabs.com/forums/viewtopic.php?t=186):

      The 1.44 firmware update has telnet access enabled. You can login
      using a user account setup through the Admin web interface.
      dtauberts poking around revealed:

      USER PID %CPU %MEM VSZ RSS TTY STAT START TIME
      COMMAND
      root 373 0.0 0.8 2132 536 ? SN Sep16
      0:01 /usr/sbin/thttpd -C /etc/thttpd.conf

      $ cat /etc/thttpd.conf
      dir=/www
      user=root
      logfile=/var/log/thttpd.log
      pidfile=/var/run/thttpd.pid
      port=80
      charset=
      cgipat=/cgi-bin*/*

      $ ls -ald /www
      drwxrwxrwx 9 root root 1024 Sep 17 15:40 /www

      In other words:

      1) The http server is run as root.
      2) The cgipat contains a wildcard in the directory name.
      3) The /www directory is writable by all.

      mkdir /www/cgi-bin3 and plop a script in (it will run as root). You
      can either make a scipt to change access for /etc/passwd:

      #! /bin/sh
      chmod 666 /etc/passwd

      and then paste it into you browser:

      http://buffalo/cgi-bin3/accesspass.sh

      making sure the script is set as executable or make a script copying
      a modified passwd file to /etc/passwd.

      You can then change the root password to a known encrypted one such
      as the one for the user account you used to gain telnet access.
      vi works although you may need to set TERM to vt100 since there
      doesn't appear to be a termcap entry for xterm (depends on you
      telnet client emulation).

      Thom
    • stuart_stegall
      Do you know what the boot process is yet?? Also can you post a dmesg?
      Message 2 of 6 , Sep 21 1:37 PM
      • 0 Attachment
        Do you know what the boot process is yet?? Also can you post a dmesg?

        --- In LinkStation_General@yahoogroups.com, "Thom Mason"
        <t.e.mason@c...> wrote:
        > dtaubert on the Roku Forums figured out a backdoor into the
        > Linkstation (see http://www.rokulabs.com/forums/viewtopic.php?t=186):
        >
        > The 1.44 firmware update has telnet access enabled. You can login
        > using a user account setup through the Admin web interface.
        > dtauberts poking around revealed:
        >
        > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME
        > COMMAND
        > root 373 0.0 0.8 2132 536 ? SN Sep16
        > 0:01 /usr/sbin/thttpd -C /etc/thttpd.conf
        >
        > $ cat /etc/thttpd.conf
        > dir=/www
        > user=root
        > logfile=/var/log/thttpd.log
        > pidfile=/var/run/thttpd.pid
        > port=80
        > charset=
        > cgipat=/cgi-bin*/*
        >
        > $ ls -ald /www
        > drwxrwxrwx 9 root root 1024 Sep 17 15:40 /www
        >
        > In other words:
        >
        > 1) The http server is run as root.
        > 2) The cgipat contains a wildcard in the directory name.
        > 3) The /www directory is writable by all.
        >
        > mkdir /www/cgi-bin3 and plop a script in (it will run as root). You
        > can either make a scipt to change access for /etc/passwd:
        >
        > #! /bin/sh
        > chmod 666 /etc/passwd
        >
        > and then paste it into you browser:
        >
        > http://buffalo/cgi-bin3/accesspass.sh
        >
        > making sure the script is set as executable or make a script copying
        > a modified passwd file to /etc/passwd.
        >
        > You can then change the root password to a known encrypted one such
        > as the one for the user account you used to gain telnet access.
        > vi works although you may need to set TERM to vt100 since there
        > doesn't appear to be a termcap entry for xterm (depends on you
        > telnet client emulation).
        >
        > Thom
      • Thom Mason
        Here s the log file which gives some indication of the bootsequence dmesg isn t there (another thing for the to do list): Sep 21 05:05:53 BUFFALO
        Message 3 of 6 , Sep 21 2:01 PM
        • 0 Attachment
          Here's the log file which gives some indication of the bootsequence
          dmesg isn't there (another thing for the to do list):

          Sep 21 05:05:53 BUFFALO linkstation[178]: Started ap_servd
          Sep 21 05:05:54 BUFFALO linkstation[184]: Started inetd
          Sep 21 05:05:54 BUFFALO linkstation[188]: Started thttpd
          Sep 21 05:05:54 BUFFALO linkstation[194]: Started lpd
          Sep 21 05:05:54 BUFFALO linkstation[201]: Started ekpd
          Sep 21 05:05:54 BUFFALO linkstation[208]: Started cron
          Sep 21 05:05:56 BUFFALO linkstation[226]: Started smbd nmbd
          Sep 21 05:05:56 BUFFALO linkstation[228]: Not started proftpd
          Sep 21 05:05:57 BUFFALO linkstation[233]: Started ppc_uartd
          Sep 21 05:06:39 BUFFALO linkstation[244]: Started atalkd papd afpd
          Sep 21 05:06:41 BUFFALO linkstation[245]: [TOP] View page from
          RemoteAddr:192.168.15.52, RemoteHost:.
          Sep 21 05:07:22 BUFFALO linkstation[290]: [Success] Change TimeZone
          to GMT+5.
          Sep 21 00:07:18 BUFFALO linkstation[297]: [Success] Change date to
          2004/9/21 0:7:18.
          Sep 21 00:07:18 BUFFALO linkstation[298]: [Success] Change Locale to
          CP437.
          Sep 21 00:07:18 BUFFALO linkstation[312]: Stopped thttpd
          Sep 21 00:07:19 BUFFALO linkstation[317]: Started thttpd
          Sep 21 00:07:21 BUFFALO linkstation[341]: Started smbd nmbd winbindd
          Sep 21 00:07:21 BUFFALO linkstation[346]: Started smbd nmbd
          Sep 21 00:07:21 BUFFALO linkstation[358]: Stopped atalkd papd afpd
          Sep 21 00:07:22 BUFFALO linkstation[369]: Stopped proftpd wu-ftpd
          Sep 21 00:07:23 BUFFALO linkstation[371]: Not started proftpd
          Sep 21 00:07:23 BUFFALO linkstation[372]: [TOP] View page from
          RemoteAddr:192.168.15.52, RemoteHost:.
          Sep 21 00:08:06 BUFFALO linkstation[421]: Started atalkd papd afpd
          Sep 21 00:08:08 BUFFALO linkstation[424]: [TOP] View page from
          RemoteAddr:192.168.15.52, RemoteHost:.
          Sep 21 00:08:21 BUFFALO linkstation[469]: [Success] Delete all job
          from crontab.
          Sep 21 00:08:21 BUFFALO linkstation[472]: [Success] Change sleep
          timer status to OFF.
          Sep 21 00:08:21 BUFFALO linkstation[477]: Stopped ap_servd
          Sep 21 00:08:21 BUFFALO linkstation[482]: Started ap_servd
          Sep 21 00:08:23 BUFFALO linkstation[495]: [TOP] View page from
          RemoteAddr:192.168.15.52, RemoteHost:.
          Sep 21 00:08:47 BUFFALO linkstation[578]: [Status] Start detail disk
          check.
          Sep 21 00:08:47 BUFFALO linkstation[581]: [Status] Finish detail
          disk check.
          Sep 21 00:08:47 BUFFALO linkstation[589]: Started smbd nmbd winbindd
          Sep 21 00:08:48 BUFFALO linkstation[600]: Stopped atalkd papd afpd
          Sep 21 00:08:48 BUFFALO linkstation[603]: Stopped thttpd
          Sep 21 00:08:54 BUFFALO linkstation[626]: Stopped cron
          Sep 21 00:08:54 BUFFALO linkstation[629]: Stopped inetd
          Sep 21 00:08:54 BUFFALO linkstation[632]: Stopped thttpd
          Sep 21 00:08:55 BUFFALO linkstation[638]: Stopped lpd
          Sep 21 00:08:55 BUFFALO linkstation[642]: Stopped ekpd
          Sep 21 00:08:55 BUFFALO linkstation[653]: Stopped atalkd papd afpd
          Sep 21 00:09:31 BUFFALO linkstation[178]: Started ap_servd
          Sep 21 00:09:32 BUFFALO linkstation[184]: Started inetd
          Sep 21 00:09:32 BUFFALO linkstation[188]: Started thttpd
          Sep 21 00:09:32 BUFFALO linkstation[194]: Started lpd
          Sep 21 00:09:32 BUFFALO linkstation[201]: Started ekpd
          Sep 21 00:09:32 BUFFALO linkstation[208]: Started cron
          Sep 21 00:09:34 BUFFALO linkstation[226]: Started smbd nmbd
          Sep 21 00:09:34 BUFFALO linkstation[228]: Not started proftpd
          Sep 21 00:09:35 BUFFALO linkstation[233]: Started ppc_uartd
          Sep 21 00:10:17 BUFFALO linkstation[242]: Started atalkd papd afpd
          Sep 21 04:06:24 BUFFALO time calibration[253]: done. 2004/ 9/21 9:
          6:24, -5:0
          Sep 21 04:06:24 BUFFALO linkstation[257]: Stopped ppc_uartd
          Sep 21 04:06:25 BUFFALO linkstation[261]: Started ppc_uartd
          Sep 21 07:17:41 BUFFALO linkstation[270]: [TOP] View page from
          RemoteAddr:192.168.15.52, RemoteHost:.
          Sep 21 07:38:05 BUFFALO linkstation[344]: [TOP] View page from
          RemoteAddr:192.168.15.52, RemoteHost:.
          Sep 21 07:43:19 BUFFALO linkstation[420]: Stopped proftpd wu-ftpd
          Sep 21 07:43:19 BUFFALO linkstation[421]: [Success] Change FTP
          server status to on.
          Sep 21 07:43:19 BUFFALO linkstation[422]: [Success] Change FTP
          server type to pr.
          Sep 21 07:43:20 BUFFALO linkstation[431]: Stopped proftpd wu-ftpd
          Sep 21 07:43:20 BUFFALO linkstation[442]: Started proftpd

          --- In LinkStation_General@yahoogroups.com, "stuart_stegall"
          <stuart@f...> wrote:
          > Do you know what the boot process is yet?? Also can you post a
          dmesg?
          >
        • Derek Taubert
          Try this one on for size: Sep 16 23:39:16 HD-HLANA09 syslogd 1.3-3: restart. Sep 16 23:39:16 HD-HLANA09 kernel: klogd 1.3-3, log source = /proc/kmsg started.
          Message 4 of 6 , Sep 21 2:24 PM
          • 0 Attachment
            Try this one on for size:

            Sep 16 23:39:16 HD-HLANA09 syslogd 1.3-3: restart.
            Sep 16 23:39:16 HD-HLANA09 kernel: klogd 1.3-3, log source = /proc/kmsg started.
            Sep 16 23:39:16 HD-HLANA09 kernel: Memory BAT mapping: BAT2=64Mb, BAT3=0Mb, residual: 0Mb
            Sep 16 23:39:16 HD-HLANA09 kernel: Linux version 2.4.17_mvl21-sandpoint (root@toda_dev.melcoinc.co.jp) (gcc version 2.95.3 20010315 (release/MontaVista)) #990 2004 5 21 13:39:00 JST
            Sep 16 23:39:16 HD-HLANA09 kernel: BUFFALO Network Attached Storage Series
            Sep 16 23:39:16 HD-HLANA09 kernel: 2002-2004 BUFFALO INC.
            Sep 16 23:39:16 HD-HLANA09 kernel: On node 0 totalpages: 16384
            Sep 16 23:39:16 HD-HLANA09 kernel: zone(0): 16384 pages.
            Sep 16 23:39:16 HD-HLANA09 kernel: zone(1): 0 pages.
            Sep 16 23:39:16 HD-HLANA09 kernel: zone(2): 0 pages.
            Sep 16 23:39:16 HD-HLANA09 kernel: Kernel command line: root=/dev/hda1
            Sep 16 23:39:16 HD-HLANA09 kernel: OpenPIC Version 1.2 (1 CPUs and 139 IRQ sources) at 80040000
            Sep 16 23:39:16 HD-HLANA09 kernel: decrementer frequency = 24.519423 MHz
            Sep 16 23:39:16 HD-HLANA09 kernel: rtc sec count 1095377944
            Sep 16 23:39:16 HD-HLANA09 kernel: Calibrating delay loop... 130.66 BogoMIPS
            Sep 16 23:39:16 HD-HLANA09 kernel: Memory: 60356k available (1332k kernel code, 568k data, 192k init, 0k highmem)
            Sep 16 23:39:16 HD-HLANA09 kernel: Dentry-cache hash table entries: 8192 (order: 4, 65536 bytes)
            Sep 16 23:39:16 HD-HLANA09 kernel: Inode-cache hash table entries: 4096 (order: 3, 32768 bytes)
            Sep 16 23:39:16 HD-HLANA09 kernel: Mount-cache hash table entries: 1024 (order: 1, 8192 bytes)
            Sep 16 23:39:16 HD-HLANA09 kernel: Buffer-cache hash table entries: 4096 (order: 2, 16384 bytes)
            Sep 16 23:39:16 HD-HLANA09 kernel: Page-cache hash table entries: 16384 (order: 4, 65536 bytes)
            Sep 16 23:39:16 HD-HLANA09 kernel: POSIX conformance testing by UNIFIX
            Sep 16 23:39:16 HD-HLANA09 kernel: PCI: Probing PCI hardware
            Sep 16 23:39:16 HD-HLANA09 kernel: Linux NET4.0 for Linux 2.4
            Sep 16 23:39:16 HD-HLANA09 kernel: Based upon Swansea University Computer Society NET3.039
            Sep 16 23:39:16 HD-HLANA09 kernel: Initializing RT netlink socket
            Sep 16 23:39:16 HD-HLANA09 kernel: Starting kswapd
            Sep 16 23:39:16 HD-HLANA09 kernel: Disabling the Out Of Memory Killer
            Sep 16 23:39:16 HD-HLANA09 kernel: Journalled Block Device driver loaded
            Sep 16 23:39:16 HD-HLANA09 kernel: pty: 256 Unix98 ptys configured
            Sep 16 23:39:16 HD-HLANA09 kernel: MELCO INC. RTC driver ver 1.00
            Sep 16 23:39:16 HD-HLANA09 kernel: Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
            Sep 16 23:39:16 HD-HLANA09 kernel: ttyS00 at 0x80004600 (irq = 138) is a 16550A
            Sep 16 23:39:16 HD-HLANA09 kernel: ttyS01 at 0x80004500 (irq = 137) is a 16550A
            Sep 16 23:39:16 HD-HLANA09 kernel: block: 128 slots per queue, batch=32
            Sep 16 23:39:16 HD-HLANA09 kernel: RAMDISK driver initialized: 16 RAM disks of 10000K size 1024 blocksize
            Sep 16 23:39:16 HD-HLANA09 kernel: Uniform Multi-Platform E-IDE driver Revision: 6.31
            Sep 16 23:39:16 HD-HLANA09 kernel: ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
            Sep 16 23:39:16 HD-HLANA09 kernel: CMD680: IDE controller on PCI bus 00 dev 60
            Sep 16 23:39:16 HD-HLANA09 kernel: CMD680: chipset revision 2
            Sep 16 23:39:16 HD-HLANA09 kernel: CMD680: 100% native mode on irq 17
            Sep 16 23:39:16 HD-HLANA09 kernel: ide0: BM-DMA at 0xbffed0-0xbffed7, BIOS settings: hda:pio, hdb:pio
            Sep 16 23:39:16 HD-HLANA09 kernel: ide1: BM-DMA at 0xbffed8-0xbffedf, BIOS settings: hdc:pio, hdd:pio
            Sep 16 23:39:16 HD-HLANA09 kernel: hda: SAMSUNG SV1203N, ATA DISK drive
            Sep 16 23:39:16 HD-HLANA09 kernel: ide0 at 0xbffef8-0xbffeff,0xbffef6 on irq 17
            Sep 16 23:39:16 HD-HLANA09 kernel: hda: 234493056 sectors (120060 MB) w/2048KiB Cache, CHS=14596/255/63, UDMA(100)
            Sep 16 23:39:16 HD-HLANA09 kernel: Partition check:
            Sep 16 23:39:16 HD-HLANA09 kernel: hda: hda1 hda2 hda3
            Sep 16 23:39:16 HD-HLANA09 kernel: FLASHDISK:Initialized [STMICRO M29W320DT]
            Sep 16 23:39:16 HD-HLANA09 kernel: Linux Tulip driver version 0.9.15-pre9 (Nov 6, 2001)
            Sep 16 23:39:16 HD-HLANA09 kernel: tulip0: MII transceiver #1 config 3100 status 7849 advertising 05e1.
            Sep 16 23:39:16 HD-HLANA09 kernel: eth0: ADMtek Comet rev 17 at 0xbfff00, 00:07:40:A4:BA:09, IRQ 16.
            Sep 16 23:39:16 HD-HLANA09 kernel: SCSI subsystem driver Revision: 1.00
            Sep 16 23:39:16 HD-HLANA09 kernel: request_module[scsi_hostadapter]: Root fs not mounted
            Sep 16 23:39:16 HD-HLANA09 kernel: request_module[scsi_hostadapter]: Root fs not mounted
            Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: registered new driver usbdevfs
            Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: registered new driver hub
            Sep 16 23:39:16 HD-HLANA09 kernel: hcd.c: ehci-hcd @ 00:0e.2, PCI device 1033:00e0 (NEC Corporation)
            Sep 16 23:39:16 HD-HLANA09 kernel: hcd.c: irq 19, pci mem c5000f00
            Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: new USB bus registered, assigned bus number 1
            Sep 16 23:39:16 HD-HLANA09 kernel: hcd/ehci-hcd.c: USB 2.0 support enabled, EHCI rev 1. 0
            Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: USB hub found
            Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: 5 ports detected
            Sep 16 23:39:16 HD-HLANA09 kernel: usb-ohci.c: USB OHCI at membase 0xc5002000, IRQ 19
            Sep 16 23:39:16 HD-HLANA09 kernel: usb-ohci.c: usb-00:0e.0, NEC Corporation USB
            Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: new USB bus registered, assigned bus number 2
            Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: USB hub found
            Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: 3 ports detected
            Sep 16 23:39:16 HD-HLANA09 kernel: usb-ohci.c: USB OHCI at membase 0xc5004000, IRQ 19
            Sep 16 23:39:16 HD-HLANA09 kernel: usb-ohci.c: usb-00:0e.1, NEC Corporation USB (#2)
            Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: new USB bus registered, assigned bus number 3
            Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: USB hub found
            Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: 2 ports detected
            Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: registered new driver usblp
            Sep 16 23:39:16 HD-HLANA09 kernel: printer.c: v0.11: USB Printer Device Class driver
            Sep 16 23:39:16 HD-HLANA09 kernel: Initializing USB Mass Storage driver...
            Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: registered new driver usb-storage
            Sep 16 23:39:16 HD-HLANA09 kernel: USB Mass Storage support registered.
            Sep 16 23:39:16 HD-HLANA09 kernel: NET4: Linux TCP/IP 1.0 for NET4.0
            Sep 16 23:39:16 HD-HLANA09 kernel: IP Protocols: ICMP, UDP, TCP, IGMP
            Sep 16 23:39:16 HD-HLANA09 kernel: IP: routing cache hash table of 512 buckets, 4Kbytes
            Sep 16 23:39:16 HD-HLANA09 kernel: TCP: Hash tables configured (established 4096 bind 4096)
            Sep 16 23:39:16 HD-HLANA09 kernel: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
            Sep 16 23:39:16 HD-HLANA09 kernel: NET4: AppleTalk 0.18a for Linux NET4.0
            Sep 16 23:39:16 HD-HLANA09 kernel: RAMDISK: Compressed image found at block 0
            Sep 16 23:39:16 HD-HLANA09 kernel: Freeing initrd memory: 1993k freed
            Sep 16 23:39:16 HD-HLANA09 kernel: fff70000:4f4b4f4b
            Sep 16 23:39:16 HD-HLANA09 kernel: VFS: Mounted root (ext2 filesystem).
            Sep 16 23:39:16 HD-HLANA09 kernel: fff70000:4f4b4f4b
            Sep 16 23:39:16 HD-HLANA09 kernel: kjournald starting. Commit interval 5 seconds
            Sep 16 23:39:16 HD-HLANA09 kernel: EXT3-fs: mounted filesystem with ordered data mode.
            Sep 16 23:39:16 HD-HLANA09 kernel: VFS: Mounted root (ext3 filesystem) readonly.
            Sep 16 23:39:16 HD-HLANA09 kernel: change_root: old root has d_count=2
            Sep 16 23:39:16 HD-HLANA09 kernel: Trying to unmount old root ... okay
            Sep 16 23:39:16 HD-HLANA09 kernel: Freeing unused kernel memory: 192k init
            Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: new USB device 00:0e.2-2, assigned address 2
            Sep 16 23:39:16 HD-HLANA09 kernel: scsi0 : SCSI emulation for USB Mass Storage devices
            Sep 16 23:39:16 HD-HLANA09 kernel: Vendor: WDC WD25 Model: 00JB-00GVA0 Rev: 0 0
            Sep 16 23:39:16 HD-HLANA09 kernel: Type: Direct-Access ANSI SCSI revision: 02
            Sep 16 23:39:16 HD-HLANA09 kernel: Attached scsi disk sda at scsi0, channel 0, id 0, lun 0
            Sep 16 23:39:16 HD-HLANA09 kernel: SCSI device sda: 488397168 512-byte hdwr sectors (250059 MB)
            Sep 16 23:39:16 HD-HLANA09 kernel: sda:<7>usb-storage: task-switchin
            Sep 16 23:39:16 HD-HLANA09 kernel: sda1
            Sep 16 23:39:16 HD-HLANA09 kernel: Adding Swap: 257032k swap-space (priority -1)
            Sep 16 23:39:16 HD-HLANA09 kernel: EXT3 FS 2.4-0.9.17, 10 Jan 2002 on ide0(3,1), internal journal
            Sep 16 23:39:16 HD-HLANA09 kernel: kjournald starting. Commit interval 5 seconds
            Sep 16 23:39:16 HD-HLANA09 kernel: EXT3-fs warning: checktime reached, running e2fsck is recommended
            Sep 16 23:39:16 HD-HLANA09 kernel: EXT3 FS 2.4-0.9.17, 10 Jan 2002 on ide0(3,3), internal journal
            Sep 16 23:39:16 HD-HLANA09 kernel: EXT3-fs: mounted filesystem with ordered data mode.
            Sep 16 23:39:16 HD-HLANA09 init: Entering runlevel: 2
            Sep 16 23:39:17 HD-HLANA09 modprobe: modprobe: Can't locate module printer
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: beep is defined as "off"
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: usb device is added
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: vendor:0x0 product:0x0 Dclass:0x9 Dsubclass:0x0 Dprotocol:0x0 Iclass:0x0 Isubclass:0x0 Iprotocol:0x0
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: The device match nothing in mapfile
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: Please change MODULE in following line to the appropriate module name, add it to /etc/murasaki/murasaki.usbmap
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: MODULE 0x0010 0x0 0x0 0 0 0x9 0x0 0x0 0x0 0x0 0x0 0x00000000
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: beep is defined as "off"
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: usb device is added
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: vendor:0x0 product:0x0 Dclass:0x9 Dsubclass:0x0 Dprotocol:0x0 Iclass:0x0 Isubclass:0x0 Iprotocol:0x0
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: The device match nothing in mapfile
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: Please change MODULE in following line to the appropriate module name, add it to /etc/murasaki/murasaki.usbmap
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: MODULE 0x0010 0x0 0x0 0 0 0x9 0x0 0x0 0x0 0x0 0x0 0x00000000
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: beep is defined as "off"
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: usb device is added
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: vendor:0x0 product:0x0 Dclass:0x9 Dsubclass:0x0 Dprotocol:0x0 Iclass:0x0 Isubclass:0x0 Iprotocol:0x0
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: The device match nothing in mapfile
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: Please change MODULE in following line to the appropriate module name, add it to /etc/murasaki/murasaki.usbmap
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: MODULE 0x0010 0x0 0x0 0 0 0x9 0x0 0x0 0x0 0x0 0x0 0x00000000
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: beep is defined as "off"
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: usb device is added
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: vendor:0x6e1 product:0xd835 Dclass:0x0 Dsubclass:0x0 Dprotocol:0x0 Iclass:0x8 Isubclass:0x6 Iprotocol:0x32
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: The device match nothing in mapfile
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: Please change MODULE in following line to the appropriate module name, add it to /etc/murasaki/murasaki.usbmap
            Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: MODULE 0x0383 0x6e1 0xd835 0 0 0x0 0x0 0x0 0x8 0x6 0x32 0x00000000
            Sep 16 23:39:17 HD-HLANA09 kernel: FAT: bogus logical sector size 0
            Sep 16 23:39:17 HD-HLANA09 kernel: VFS: Can't find a valid FAT filesystem on dev 08:01.
            Sep 16 23:39:17 HD-HLANA09 kernel: NTFS driver v1.1.21 [Flags: R/O MODULE]
            Sep 16 23:39:17 HD-HLANA09 kernel: kjournald starting. Commit interval 5 seconds
            Sep 16 23:39:17 HD-HLANA09 kernel: EXT3 FS 2.4-0.9.17, 10 Jan 2002 on sd(8,1), internal journal
            Sep 16 23:39:17 HD-HLANA09 kernel: EXT3-fs: mounted filesystem with ordered data mode.
            Sep 16 23:39:22 HD-HLANA09 ap_serd[215]: startup daemon
            Sep 16 23:39:22 HD-HLANA09 ap_serd[215]: assigned intreface eth0
            Sep 16 23:39:22 HD-HLANA09 ap_serd[215]: standalone mode

            Derek
          • cs_h1
            Done all this for LSII - how do you actually start the music server? ... You ... copying
            Message 5 of 6 , Aug 18, 2005
            • 0 Attachment
              Done all this for LSII - how do you actually start the music server?



              --- In LinkStation_General@yahoogroups.com, "Thom Mason"
              <t.e.mason@c...> wrote:
              > dtaubert on the Roku Forums figured out a backdoor into the
              > Linkstation (see http://www.rokulabs.com/forums/viewtopic.php?
              t=186):
              >
              > The 1.44 firmware update has telnet access enabled. You can login
              > using a user account setup through the Admin web interface.
              > dtauberts poking around revealed:
              >
              > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME
              > COMMAND
              > root 373 0.0 0.8 2132 536 ? SN Sep16
              > 0:01 /usr/sbin/thttpd -C /etc/thttpd.conf
              >
              > $ cat /etc/thttpd.conf
              > dir=/www
              > user=root
              > logfile=/var/log/thttpd.log
              > pidfile=/var/run/thttpd.pid
              > port=80
              > charset=
              > cgipat=/cgi-bin*/*
              >
              > $ ls -ald /www
              > drwxrwxrwx 9 root root 1024 Sep 17 15:40 /www
              >
              > In other words:
              >
              > 1) The http server is run as root.
              > 2) The cgipat contains a wildcard in the directory name.
              > 3) The /www directory is writable by all.
              >
              > mkdir /www/cgi-bin3 and plop a script in (it will run as root).
              You
              > can either make a scipt to change access for /etc/passwd:
              >
              > #! /bin/sh
              > chmod 666 /etc/passwd
              >
              > and then paste it into you browser:
              >
              > http://buffalo/cgi-bin3/accesspass.sh
              >
              > making sure the script is set as executable or make a script
              copying
              > a modified passwd file to /etc/passwd.
              >
              > You can then change the root password to a known encrypted one such
              > as the one for the user account you used to gain telnet access.
              > vi works although you may need to set TERM to vt100 since there
              > doesn't appear to be a termcap entry for xterm (depends on you
              > telnet client emulation).
              >
              > Thom
            • cs_h1
              Media server up and running - just got to sort shoutcast out ... login ... such
              Message 6 of 6 , Aug 18, 2005
              • 0 Attachment
                Media server up and running - just got to sort shoutcast out

                --- In LinkStation_General@yahoogroups.com, "cs_h1" <cs_h1@y...>
                wrote:
                > Done all this for LSII - how do you actually start the music server?
                >
                >
                >
                > --- In LinkStation_General@yahoogroups.com, "Thom Mason"
                > <t.e.mason@c...> wrote:
                > > dtaubert on the Roku Forums figured out a backdoor into the
                > > Linkstation (see http://www.rokulabs.com/forums/viewtopic.php?
                > t=186):
                > >
                > > The 1.44 firmware update has telnet access enabled. You can
                login
                > > using a user account setup through the Admin web interface.
                > > dtauberts poking around revealed:
                > >
                > > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME
                > > COMMAND
                > > root 373 0.0 0.8 2132 536 ? SN Sep16
                > > 0:01 /usr/sbin/thttpd -C /etc/thttpd.conf
                > >
                > > $ cat /etc/thttpd.conf
                > > dir=/www
                > > user=root
                > > logfile=/var/log/thttpd.log
                > > pidfile=/var/run/thttpd.pid
                > > port=80
                > > charset=
                > > cgipat=/cgi-bin*/*
                > >
                > > $ ls -ald /www
                > > drwxrwxrwx 9 root root 1024 Sep 17 15:40 /www
                > >
                > > In other words:
                > >
                > > 1) The http server is run as root.
                > > 2) The cgipat contains a wildcard in the directory name.
                > > 3) The /www directory is writable by all.
                > >
                > > mkdir /www/cgi-bin3 and plop a script in (it will run as root).
                > You
                > > can either make a scipt to change access for /etc/passwd:
                > >
                > > #! /bin/sh
                > > chmod 666 /etc/passwd
                > >
                > > and then paste it into you browser:
                > >
                > > http://buffalo/cgi-bin3/accesspass.sh
                > >
                > > making sure the script is set as executable or make a script
                > copying
                > > a modified passwd file to /etc/passwd.
                > >
                > > You can then change the root password to a known encrypted one
                such
                > > as the one for the user account you used to gain telnet access.
                > > vi works although you may need to set TERM to vt100 since there
                > > doesn't appear to be a termcap entry for xterm (depends on you
                > > telnet client emulation).
                > >
                > > Thom
              Your message has been successfully submitted and would be delivered to recipients shortly.