Buffalo NAS-Central Forums

Welcome to the Linkstation Wiki community
It is currently Thu Jun 29, 2017 12:01 pm

All times are UTC+01:00




Post new topic  Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Fri Mar 21, 2008 6:25 am 
Offline
Newbie

Joined: Sun Oct 30, 2005 4:58 am
Posts: 52
Location: Braunschweig, DE
ACP_Commander is a very useful tool, I appreciate much. But it provides easily full access to a NAS to everybody who has physical access.
Is there a way to disable this backdoor for security reasons ? E.g. on a Terastation Live ?

_________________
LS HD-HG250LAN Freelink 1.11, Kernel 2.6, NFS
TS HS-DH2.0TGL, RAID-5, Stock-FW, NFS
UPS APC ES 500


Top
   
PostPosted: Fri Mar 21, 2008 10:10 am 
Offline
Site Admin
User avatar

Joined: Mon Jul 11, 2005 7:19 am
Posts: 7703
Location: Austria, Vienna
well, not really easy to disable it.

ACP_commander got its name because it deals with the so called ACP protocol. thats the one used by the buffalo supplied firmwareupdater. there is a process running on your terastation which is the server process for lsupdater.exe or how it is called on the terastations. this process is accepting connections at a non standard port (look at the acp_commanders source to see which port it is). so if you want to harden your terastation by disabling this process it would mean that you will not be able to flash the box with a new firmware.

i actually would try to stop the process (give me a "ps w" listing, i tell you which process it is) with kill and test if there are any other side-effects than that the firmware updater does not find the box anymore.

if you just "kill" a simple reboot is enough to fix it again. i would start with that.

some are also looking into getting debian running natively on the terastations (arm9)...that of course also would be an option but it would mean that you have to deal with configuring the box yourself from scratch. its still in its initial tests...so its no option currently for you.

_________________
LS1 (2.6 kernel, foonas svn1062, 750 GB, UBoot 1.2) & LS Pro (FreeLink/jtymod/GenLink, changes all the time)
Thx to all donators!


Top
   
PostPosted: Fri Mar 21, 2008 12:32 pm 
Offline
Newbie

Joined: Sun Oct 30, 2005 4:58 am
Posts: 52
Location: Braunschweig, DE
Debian would be a good option, because I'm really missing some of my helpers on the TS Live .. but so far, it seems too difficult for me, especially because of the Raid array. And as I could get NFS and Twonky to work, only UPS is missing, but I'm close to get it finished.

Of course, shutting the backdoor is risky .. so here's my process list, which is already modified from the stock one:

Code:
  PID  Uid     VmSize Stat Command
    1 root        564 S   init
    2 root            SWN [ksoftirqd/0]
    3 root            SW< [events/0]
    4 root            SW< [khelper]
    5 root            SW< [kthread]
   11 root            SW< [kblockd/0]
   14 root            SW< [khubd]
   47 root            SW  [pdflush]
   48 root            SW  [pdflush]
   50 root            SW< [aio/0]
   49 root            SW  [kswapd0]
   51 root            SW< [xfslogd/0]
   52 root            SW< [xfsdatad/0]
   53 root            SW  [crypto]
   54 root            SW  [crypto_ret]
  178 root            SW< [scsi_eh_0]
  179 root            SW< [scsi_eh_1]
  180 root            SW< [scsi_eh_2]
  181 root            SW< [scsi_eh_3]
  223 root            SW  [mtdblockd]
  333 root            SW< [md1_raid1]
  336 root            SW< [md0_raid1]
  441 root            SW< [xfsbufd]
  442 root            SW< [xfssyncd]
  724 root            SW  [kjournald]
  802 root        644 S   syslogd -m 0
  804 root        380 S   klogd
  808 root        316 S   /usr/local/sbin/logchkd
  812 root        684 S   /usr/sbin/inetd
  815 root        980 S   /bin/sh /usr/local/sbin/kernelmon
  825 root        404 S < /usr/local/sbin/miconmon
  856 root            SW< [md2_raid5]
  868 root        508 S   cat /proc/buffalo/kernevnt
  885 root            SW< [xfsbufd]
  886 root            SW< [xfssyncd]
 1011 bin         352 S   /sbin/portmap
 1017 root            SW  [nfsd]
 1018 root            SW  [nfsd]
 1019 root            SW  [nfsd]
 1020 root            SW  [nfsd]
 1021 root            SW  [nfsd]
 1022 root            SW  [nfsd]
 1023 root            SW  [nfsd]
 1024 root            SW  [nfsd]
 1027 root            SW  [lockd]
 1028 root            SW< [rpciod/0]
 1030 root       1156 S   /usr/sbin/rpc.mountd
 1032 rpcuser     720 S   /usr/sbin/rpc.statd
 1041 root       1148 S   /bin/sh /usr/local/sbin/diskmon_exec.sh start
 1071 root        924 S   /usr/local/apache/bin/httpd
 1075 root        672 S   /usr/local/apache/bin/httpd
 1076 root        672 S   /usr/local/apache/bin/httpd
 1077 root        928 S   /usr/local/apache/bin/httpd -f /etc/apache/httpd8080.conf
 1078 root        676 S   /usr/local/apache/bin/httpd -f /etc/apache/httpd8080.conf
 1079 root        676 S   /usr/local/apache/bin/httpd -f /etc/apache/httpd8080.conf
 1082 root        672 S   /usr/local/apache/bin/httpd
 1083 root        672 S   /usr/local/apache/bin/httpd
 1084 root        676 S   /usr/local/apache/bin/httpd -f /etc/apache/httpd8080.conf
 1085 root        676 S   /usr/local/apache/bin/httpd -f /etc/apache/httpd8080.conf
 1086 root        464 S   lpd Waiting
 1097 root        676 S   /usr/local/apache/bin/httpd
 1098 root        680 S   /usr/local/apache/bin/httpd -f /etc/apache/httpd8080.conf
 1099 root       2088 S   /usr/local/sbin/smbd -D
 1101 root       1756 S   /usr/local/sbin/smbd -D
 1102 root       1348 S   /usr/local/sbin/nmbd -D
 1110 root        356 S   /usr/local/bin/directcopy
 1111 root        956 S   /bin/sh /usr/local/bin/directcopy_job.sh
 1112 root       1000 S   /bin/sh /usr/local/bin/directcopy_lcd.sh
 1145 root        268 S   /usr/local/sbin/clientUtil_server -i eth0
 1148 root        808 S   /usr/local/sbin/lsprcvd
 1151 root        332 S   /usr/local/sbin/daemonwatch -a /etc/daemonwatch.list
 1154 root        660 S   /usr/sbin/crond
 1169 root        372 S   /usr/local/BootServer/rarpd
 1172 root        360 S   /usr/local/BootServer/rarpcfgd
 1174 root        220 S   /usr/local/BootServer/fwupdated
 1175 root        196 S   /usr/local/BootServer/tftpd
 1222 root        368 S   /mnt/array1/twonky/twonkymedia
 1223 root       7496 S   /mnt/array1/twonky/twonkymediaserver
 1229 root       1004 S   /bin/sh /usr/local/bin/chk_pcastd.sh
 1237 root        952 S   /usr/local/sbin/sshd -f /etc/sshd_config
 1352 root        436 S   /usr/local/sbin/errormon
 1542 root        884 S   /usr/local/sbin/apcupsd --kill-on-powerfail
 1544 root        620 S   /sbin/getty -L ttyS0 115200 vt100
 8737 root       1472 S   sshd: root@pts/0
 8795 root       1288 S   -bash
29992 root        416 S   sleep 10
30275 root        416 S   sleep 1
30279 root        416 S   sleep 1
30280 root        416 S   sleep 1
30281 root        940 S   sh -c miconapl -a int_get_switch_status >/tmp/input_switch
30282 root        392 R   miconapl -a int_get_switch_status
30283 root        724 R   ps w
tera:/etc/init.d#


I suppose, it might be the 1174 fwupdated daemon, what do you think ? Do you have any idea, what the 1151 daemonwatch is doing ?

_________________
LS HD-HG250LAN Freelink 1.11, Kernel 2.6, NFS
TS HS-DH2.0TGL, RAID-5, Stock-FW, NFS
UPS APC ES 500


Top
   
PostPosted: Fri Mar 21, 2008 3:55 pm 
Offline
Site Admin
User avatar

Joined: Mon Jul 11, 2005 7:19 am
Posts: 7703
Location: Austria, Vienna
the process is "/usr/local/sbin/clientUtil_server -i eth0"

if you kill this app acp_commander won`t work anymore.

but....there is also "/usr/local/sbin/daemonwatch -a /etc/daemonwatch.list"

all daemons in /etc/daemonwatch.list are tracked by this daemon...if it is not started it gets started again. you would need to remove clientUtil_server from the list if it is there.

if you only kill this daemon it will be there again after reboot. so it won`t survive reboot. if you disable it you loose your backdoor.

there is one way to solve this with the original firmware.

install the optware feed, install dropbear or openssh, configure it to get ssh access. then you can disable clientUtil_Server permanently as you can access the box via ssh.

_________________
LS1 (2.6 kernel, foonas svn1062, 750 GB, UBoot 1.2) & LS Pro (FreeLink/jtymod/GenLink, changes all the time)
Thx to all donators!


Top
   
PostPosted: Sat Mar 22, 2008 5:24 am 
Offline
Newbie

Joined: Sun Oct 30, 2005 4:58 am
Posts: 52
Location: Braunschweig, DE
Thanks mindbender ... of course, I took precautions with having sshd running. So killing "/usr/local/sbin/clientUtil_server -i eth0" closes the ARM backdoor, but only if also "/etc/daemonwatch.list" is modified. Otherwise it's kindly started again :)

Code:
Mar 22 06:33:18 tera clientUtil_server[1145]: DeletePidfile()
Mar 22 06:33:18 tera clientUtil_server[1145]: ap_serv_exit() exit ap_servd. code=15
Mar 22 06:33:21 tera daemonwatch[1151]: pid [/var/run/clientUtil_server-eth0.pid] does not exist
Mar 22 06:33:22 tera clientUtil_server[18654]: startup daemon
Mar 22 06:33:22 tera clientUtil_server[18654]: assigned intreface eth0
Mar 22 06:33:22 tera clientUtil_server[18654]: clientUtil_server Ver.1.02


After modifying daemonwatch.list, the clientUtil_server remains off:
Code:
Mar 22 06:34:56 tera clientUtil_server[18655]: DeletePidfile()
Mar 22 06:34:56 tera clientUtil_server[18655]: ap_serv_exit() exit ap_servd. code=15


Code:
/etc/init.d/clientUtil_server.sh stop
has similar effect.

Proof-of-concept:

ACP_commander is no longer working ...
Code:
$ java -jar acp_commander.jar -t 192.168.91.22 -o
there seems to be no existing prefs, write default values
ACP_commander out of the linkstationwiki.net project.
Used to send ACP-commands to Buffalo linkstation(R) LS-PRO.

WARNING: This is experimental software that might brick your linkstation!


Using random connID value = 8034D781540E
Using target:   tera.mydomain.local/192.168.91.22
ERROR: Exception: SocketTimeoutException (Receive timed out) [ACP Send/Receive (Packet:8A10 = ACP_CMD)]


I couldn't find any other side effects ....

So far, I'll keep it running until I finished setting up my Terastation. Permanently switching off could be done by modifying /etc/init.d/rcS under ***step 3 (just in case somebody would like to do ...). As this seems to be rather dangerous, I'd better place an extra warning.

Warning: this procedure could result in an unrecoverable Terastation !! It disables the firmwareupdater and ACP_commander access !!

_________________
LS HD-HG250LAN Freelink 1.11, Kernel 2.6, NFS
TS HS-DH2.0TGL, RAID-5, Stock-FW, NFS
UPS APC ES 500


Top
   
PostPosted: Sun Mar 23, 2008 4:31 pm 
Offline
Site Admin
User avatar

Joined: Mon Jul 11, 2005 7:19 am
Posts: 7703
Location: Austria, Vienna
i personally recommend to mod the webinterface so it is possible to start telnet/sshd from there.

_________________
LS1 (2.6 kernel, foonas svn1062, 750 GB, UBoot 1.2) & LS Pro (FreeLink/jtymod/GenLink, changes all the time)
Thx to all donators!


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 6 posts ] 

All times are UTC+01:00


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited