BlackArmor 440/420 telnet access

[Isaac_x]

A comprehensive Google search (1, 2) showed there is an easy exploit to access telnet on the device, but I'm not experienced enough in Linux to find it myself. I realize I need to mount the harddrives in an alternative manner and put a new .htpasswd file with my own root user and password, but I don't know which partition to mount or how to go about altering the file system.

edit:
Turns out you can simply mount the ext2 partition under Linux (or with fuse-ext2 under OS X) and copy /proto/SxM_webui/admin/sxmJEWAB/SXMjewab.php to /proto/SxM_webui/admin/SXMjewab.php , then put the drive back in the NAS and access the URL /admin/SXMjewab.php?telnet=jewab&debug=1
The telnet root account is user:root pass:atsahs
Careful now!

 

[trevorj]

I got the .htpasswd file by:

Set up a new "share" with SMB "Public" access and NFS "Full access".

Mount said nfs export on your machine, then create a symlink that points to / inside of said mounted nfs export (I called it "root"), unmount.

Mount said SMB share on your machine, mounting it as cifs with the nounix option. You can now access the root filesystem as the user smbd is running under by entering the symlink you created earlier.

I yanked the .htpasswd file, then ran it through john the ripper:

sysadmin (JeWab)

Password for "JeWab" is "sysadmin". No need to plug the drives into your computer

---

The reason why the above symlink is followed is because they left wide_links turned on in Samba's configuration.

Seagate has patched this flaw in their SMB configuration in the very latest firmware (4000.0671+). I haven't yet tested to see if sxmJEWAB password or method has stopped working in any way in the latest firmware either. It probably has, as they have revamped the web UI in said update.

 

[Isaac_x]

Any tips on enhancing the read/write speed of the device?

 

[keithn821]

Telnet access enabled!

hxxp://your nas IP/admin/sxmJEWAB/SXMjewab.php?telnet=jewab&debug=1

Open the link in your web browser. BA440 will dump the contents of the inetd.conf file - which now contains an entry allowing *telnet* access. You can immediately connect to the device on port 23.

C:\>telnet nas-ip

BlackArmor login: admin
Password: <your web interface password>

_____ __ __ _ _____ _____
/ ___// /_ ____ ______/ /_____ _ / | / / | / ___/
\__ \/ __ \/ __ `/ ___/ __/ __ `/ / |/ / /| | \__ \
___/ / / / / /_/ (__ ) /_/ /_/ / / /| / ___ |___/ /
/____/_/ /_/\__,_/____/\__/\__,_/ /_/ |_/_/ |_/____/
==========================================================
v4000.1101
~ $

 

[bnborg]

Sounds complicated.

On my LG-NAS N4B1, I only had to mount one of the NAS' drives offline and edit /etc/init.d/rcS. I used Ext2Fsd to mount the drive on Windows.

After uncommenting the lines enabling telnet and root access, I put only that drive in the NAS and booted it. Then I added the other drives, one at a time. I can telnet to it and login as root, using the same password as the HTTP administrator, "admin".