after playing around for about one week with my new LinkStation DUO I finally succeeded to gain full control!
The best about that: no modified FW, no need to use acp_commander (it doesn't work anyway).
Well, I'm new to this forum and even kind of newbie to LinkStation hacking.
I got a lot of information from the forum - with limited use for the new LinkStation DUO - so I want to contribute with my knowledge so far.
My LinkStation DUO is running FW version 1.22, that is the latest version for this model available from the Buffalo support site.
I tried to gain full (root) access with acp_commander, but it did not work with my device; I assume that this security hole was closed.
I looked through all configuration options, realized that SSH service is active during normal operation, but was not able to login:
- login as root does not work due to not knowing the password
- login as other user was denied by simply closing the connection
The trick to get it work is based on the possibility to configure a web server on the device.
- Configure a share 'www'
- Configure a web server on port 81 using that share
It is possible to run PHP scripts with that web server.
It comes configure by default with an 'index.php' that shows the phpinfo()!
Next I installed the PHP Shell (-> google) and was able to look through the filesystem with a SHELL like interface.
Then I found that the file /etc/pam.d/sshd was installed world writable and voila! ... the device was mine!
Next I installed a simple PHP file manager that enabled me to edit files via the web browser.
I changed the file /etc/pam.d/sshd as follows:
- comment out all lines that begin with 'auth'
- add the line: auth required pam_permit.so
Now I was able to login as root with no password: ssh root@linkstation
But be careful: the file /etc/pam.d/sshd gets re-created each time the system starts up.
Best way to get permanent root access is to install your SSH public key in the 'authorized_keys' file.
# mkdir /root/.ssh
# chmod 700 /root/.ssh
... install your SSH public key in /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys