dtaubert on the Roku Forums figured out a backdoor into the

Linkstation (see http://www.rokulabs.com/forums/viewtopic.php?t=186):



The 1.44 firmware update has telnet access enabled.  You can login

using a user account setup through the Admin web interface.

dtauberts poking around revealed:



USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME

COMMAND

root       373  0.0  0.8  2132  536 ?        SN   Sep16

0:01 /usr/sbin/thttpd -C /etc/thttpd.conf



$ cat /etc/thttpd.conf

dir=/www

user=root

logfile=/var/log/thttpd.log

pidfile=/var/run/thttpd.pid

port=80

charset=

cgipat=/cgi-bin*/*



$ ls -ald /www

drwxrwxrwx    9 root     root         1024 Sep 17 15:40 /www



In other words:



1) The http server is run as root.

2) The cgipat contains a wildcard in the directory name.

3) The /www directory is writable by all.



mkdir /www/cgi-bin3 and plop a script in (it will run as root).  You

can either make a scipt to change access for /etc/passwd:



#! /bin/sh

chmod 666 /etc/passwd



and then paste it into you browser:



http://buffalo/cgi-bin3/accesspass.sh



making sure the script is set as executable or make a script copying

a modified passwd file to /etc/passwd.



You can then change the root password to a known encrypted one such

as the one for the user account you used to gain telnet access.

vi works although you may need to set TERM to vt100 since there

doesn't appear to be a termcap entry for xterm (depends on you

telnet client emulation).



Thom

Do you know what the boot process is yet?? Also can you post a dmesg?



--- In LinkStation_General@yahoogroups.com, "Thom Mason"

<t.e.mason@c...> wrote:

> dtaubert on the Roku Forums figured out a backdoor into the

> Linkstation (see http://www.rokulabs.com/forums/viewtopic.php?t=186):

>

> The 1.44 firmware update has telnet access enabled.  You can login

> using a user account setup through the Admin web interface.

> dtauberts poking around revealed:

>

> USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME

> COMMAND

> root       373  0.0  0.8  2132  536 ?        SN   Sep16

> 0:01 /usr/sbin/thttpd -C /etc/thttpd.conf

>

> $ cat /etc/thttpd.conf

> dir=/www

> user=root

> logfile=/var/log/thttpd.log

> pidfile=/var/run/thttpd.pid

> port=80

> charset=

> cgipat=/cgi-bin*/*

>

> $ ls -ald /www

> drwxrwxrwx    9 root     root         1024 Sep 17 15:40 /www

>

> In other words:

>

> 1) The http server is run as root.

> 2) The cgipat contains a wildcard in the directory name.

> 3) The /www directory is writable by all.

>

> mkdir /www/cgi-bin3 and plop a script in (it will run as root).  You

> can either make a scipt to change access for /etc/passwd:

>

> #! /bin/sh

> chmod 666 /etc/passwd

>

> and then paste it into you browser:

>

> http://buffalo/cgi-bin3/accesspass.sh

>

> making sure the script is set as executable or make a script copying

> a modified passwd file to /etc/passwd.

>

> You can then change the root password to a known encrypted one such

> as the one for the user account you used to gain telnet access.

> vi works although you may need to set TERM to vt100 since there

> doesn't appear to be a termcap entry for xterm (depends on you

> telnet client emulation).

>

> Thom

Here's the log file which gives some indication of the bootsequence

dmesg isn't there (another thing for the to do list):



Sep 21 05:05:53 BUFFALO linkstation[178]: Started ap_servd

Sep 21 05:05:54 BUFFALO linkstation[184]: Started inetd

Sep 21 05:05:54 BUFFALO linkstation[188]: Started thttpd

Sep 21 05:05:54 BUFFALO linkstation[194]: Started lpd

Sep 21 05:05:54 BUFFALO linkstation[201]: Started ekpd

Sep 21 05:05:54 BUFFALO linkstation[208]: Started cron

Sep 21 05:05:56 BUFFALO linkstation[226]: Started smbd nmbd

Sep 21 05:05:56 BUFFALO linkstation[228]: Not started proftpd

Sep 21 05:05:57 BUFFALO linkstation[233]: Started ppc_uartd

Sep 21 05:06:39 BUFFALO linkstation[244]: Started atalkd papd afpd

Sep 21 05:06:41 BUFFALO linkstation[245]: [TOP] View page from

RemoteAddr:192.168.15.52, RemoteHost:.

Sep 21 05:07:22 BUFFALO linkstation[290]: [Success] Change TimeZone

to GMT+5.

Sep 21 00:07:18 BUFFALO linkstation[297]: [Success] Change date to

2004/9/21 0:7:18.

Sep 21 00:07:18 BUFFALO linkstation[298]: [Success] Change Locale to

CP437.

Sep 21 00:07:18 BUFFALO linkstation[312]: Stopped thttpd

Sep 21 00:07:19 BUFFALO linkstation[317]: Started thttpd

Sep 21 00:07:21 BUFFALO linkstation[341]: Started smbd nmbd winbindd

Sep 21 00:07:21 BUFFALO linkstation[346]: Started smbd nmbd

Sep 21 00:07:21 BUFFALO linkstation[358]: Stopped atalkd papd afpd

Sep 21 00:07:22 BUFFALO linkstation[369]: Stopped proftpd wu-ftpd

Sep 21 00:07:23 BUFFALO linkstation[371]: Not started proftpd

Sep 21 00:07:23 BUFFALO linkstation[372]: [TOP] View page from

RemoteAddr:192.168.15.52, RemoteHost:.

Sep 21 00:08:06 BUFFALO linkstation[421]: Started atalkd papd afpd

Sep 21 00:08:08 BUFFALO linkstation[424]: [TOP] View page from

RemoteAddr:192.168.15.52, RemoteHost:.

Sep 21 00:08:21 BUFFALO linkstation[469]: [Success] Delete all job

from crontab.

Sep 21 00:08:21 BUFFALO linkstation[472]: [Success] Change sleep

timer status to OFF.

Sep 21 00:08:21 BUFFALO linkstation[477]: Stopped ap_servd

Sep 21 00:08:21 BUFFALO linkstation[482]: Started ap_servd

Sep 21 00:08:23 BUFFALO linkstation[495]: [TOP] View page from

RemoteAddr:192.168.15.52, RemoteHost:.

Sep 21 00:08:47 BUFFALO linkstation[578]: [Status] Start detail disk

check.

Sep 21 00:08:47 BUFFALO linkstation[581]: [Status] Finish detail

disk check.

Sep 21 00:08:47 BUFFALO linkstation[589]: Started smbd nmbd winbindd

Sep 21 00:08:48 BUFFALO linkstation[600]: Stopped atalkd papd afpd

Sep 21 00:08:48 BUFFALO linkstation[603]: Stopped thttpd

Sep 21 00:08:54 BUFFALO linkstation[626]: Stopped cron

Sep 21 00:08:54 BUFFALO linkstation[629]: Stopped inetd

Sep 21 00:08:54 BUFFALO linkstation[632]: Stopped thttpd

Sep 21 00:08:55 BUFFALO linkstation[638]: Stopped lpd

Sep 21 00:08:55 BUFFALO linkstation[642]: Stopped ekpd

Sep 21 00:08:55 BUFFALO linkstation[653]: Stopped atalkd papd afpd

Sep 21 00:09:31 BUFFALO linkstation[178]: Started ap_servd

Sep 21 00:09:32 BUFFALO linkstation[184]: Started inetd

Sep 21 00:09:32 BUFFALO linkstation[188]: Started thttpd

Sep 21 00:09:32 BUFFALO linkstation[194]: Started lpd

Sep 21 00:09:32 BUFFALO linkstation[201]: Started ekpd

Sep 21 00:09:32 BUFFALO linkstation[208]: Started cron

Sep 21 00:09:34 BUFFALO linkstation[226]: Started smbd nmbd

Sep 21 00:09:34 BUFFALO linkstation[228]: Not started proftpd

Sep 21 00:09:35 BUFFALO linkstation[233]: Started ppc_uartd

Sep 21 00:10:17 BUFFALO linkstation[242]: Started atalkd papd afpd

Sep 21 04:06:24 BUFFALO time calibration[253]: done. 2004/ 9/21  9:

6:24, -5:0

Sep 21 04:06:24 BUFFALO linkstation[257]: Stopped ppc_uartd

Sep 21 04:06:25 BUFFALO linkstation[261]: Started ppc_uartd

Sep 21 07:17:41 BUFFALO linkstation[270]: [TOP] View page from

RemoteAddr:192.168.15.52, RemoteHost:.

Sep 21 07:38:05 BUFFALO linkstation[344]: [TOP] View page from

RemoteAddr:192.168.15.52, RemoteHost:.

Sep 21 07:43:19 BUFFALO linkstation[420]: Stopped proftpd wu-ftpd

Sep 21 07:43:19 BUFFALO linkstation[421]: [Success] Change FTP

server status to on.

Sep 21 07:43:19 BUFFALO linkstation[422]: [Success] Change FTP

server type to pr.

Sep 21 07:43:20 BUFFALO linkstation[431]: Stopped proftpd wu-ftpd

Sep 21 07:43:20 BUFFALO linkstation[442]: Started proftpd



--- In LinkStation_General@yahoogroups.com, "stuart_stegall"

<stuart@f...> wrote:

> Do you know what the boot process is yet?? Also can you post a

dmesg?

>

Try this one on for size:



Sep 16 23:39:16 HD-HLANA09 syslogd 1.3-3: restart.

Sep 16 23:39:16 HD-HLANA09 kernel: klogd 1.3-3, log source = /proc/kmsg started.

Sep 16 23:39:16 HD-HLANA09 kernel: Memory BAT mapping: BAT2=64Mb, BAT3=0Mb,

residual: 0Mb

Sep 16 23:39:16 HD-HLANA09 kernel: Linux version 2.4.17_mvl21-sandpoint

(root@toda_dev.melcoinc.co.jp) (gcc version 2.95.3 20010315

(release/MontaVista)) #990 2004 5 21  13:39:00 JST

Sep 16 23:39:16 HD-HLANA09 kernel: BUFFALO Network Attached Storage Series

Sep 16 23:39:16 HD-HLANA09 kernel: 2002-2004 BUFFALO INC.

Sep 16 23:39:16 HD-HLANA09 kernel: On node 0 totalpages: 16384

Sep 16 23:39:16 HD-HLANA09 kernel: zone(0): 16384 pages.

Sep 16 23:39:16 HD-HLANA09 kernel: zone(1): 0 pages.

Sep 16 23:39:16 HD-HLANA09 kernel: zone(2): 0 pages.

Sep 16 23:39:16 HD-HLANA09 kernel: Kernel command line: root=/dev/hda1

Sep 16 23:39:16 HD-HLANA09 kernel: OpenPIC Version 1.2 (1 CPUs and 139 IRQ

sources) at 80040000

Sep 16 23:39:16 HD-HLANA09 kernel: decrementer frequency = 24.519423 MHz

Sep 16 23:39:16 HD-HLANA09 kernel: rtc sec count 1095377944

Sep 16 23:39:16 HD-HLANA09 kernel: Calibrating delay loop... 130.66 BogoMIPS

Sep 16 23:39:16 HD-HLANA09 kernel: Memory: 60356k available (1332k kernel code,

568k data, 192k init, 0k highmem)

Sep 16 23:39:16 HD-HLANA09 kernel: Dentry-cache hash table entries: 8192 (order:

4, 65536 bytes)

Sep 16 23:39:16 HD-HLANA09 kernel: Inode-cache hash table entries: 4096 (order:

3, 32768 bytes)

Sep 16 23:39:16 HD-HLANA09 kernel: Mount-cache hash table entries: 1024 (order:

1, 8192 bytes)

Sep 16 23:39:16 HD-HLANA09 kernel: Buffer-cache hash table entries: 4096 (order:

2, 16384 bytes)

Sep 16 23:39:16 HD-HLANA09 kernel: Page-cache hash table entries: 16384 (order:

4, 65536 bytes)

Sep 16 23:39:16 HD-HLANA09 kernel: POSIX conformance testing by UNIFIX

Sep 16 23:39:16 HD-HLANA09 kernel: PCI: Probing PCI hardware

Sep 16 23:39:16 HD-HLANA09 kernel: Linux NET4.0 for Linux 2.4

Sep 16 23:39:16 HD-HLANA09 kernel: Based upon Swansea University Computer

Society NET3.039

Sep 16 23:39:16 HD-HLANA09 kernel: Initializing RT netlink socket

Sep 16 23:39:16 HD-HLANA09 kernel: Starting kswapd

Sep 16 23:39:16 HD-HLANA09 kernel: Disabling the Out Of Memory Killer

Sep 16 23:39:16 HD-HLANA09 kernel: Journalled Block Device driver loaded

Sep 16 23:39:16 HD-HLANA09 kernel: pty: 256 Unix98 ptys configured

Sep 16 23:39:16 HD-HLANA09 kernel: MELCO INC. RTC driver ver 1.00

Sep 16 23:39:16 HD-HLANA09 kernel: Serial driver version 5.05c (2001-07-08) with

MANY_PORTS SHARE_IRQ SERIAL_PCI enabled

Sep 16 23:39:16 HD-HLANA09 kernel: ttyS00 at 0x80004600 (irq = 138) is a 16550A

Sep 16 23:39:16 HD-HLANA09 kernel: ttyS01 at 0x80004500 (irq = 137) is a 16550A

Sep 16 23:39:16 HD-HLANA09 kernel: block: 128 slots per queue, batch=32

Sep 16 23:39:16 HD-HLANA09 kernel: RAMDISK driver initialized: 16 RAM disks of

10000K size 1024 blocksize

Sep 16 23:39:16 HD-HLANA09 kernel: Uniform Multi-Platform E-IDE driver Revision:

6.31

Sep 16 23:39:16 HD-HLANA09 kernel: ide: Assuming 33MHz system bus speed for PIO

modes; override with idebus=xx

Sep 16 23:39:16 HD-HLANA09 kernel: CMD680: IDE controller on PCI bus 00 dev 60

Sep 16 23:39:16 HD-HLANA09 kernel: CMD680: chipset revision 2

Sep 16 23:39:16 HD-HLANA09 kernel: CMD680: 100% native mode on irq 17

Sep 16 23:39:16 HD-HLANA09 kernel:     ide0: BM-DMA at 0xbffed0-0xbffed7, BIOS

settings: hda:pio, hdb:pio

Sep 16 23:39:16 HD-HLANA09 kernel:     ide1: BM-DMA at 0xbffed8-0xbffedf, BIOS

settings: hdc:pio, hdd:pio

Sep 16 23:39:16 HD-HLANA09 kernel: hda: SAMSUNG SV1203N, ATA DISK drive

Sep 16 23:39:16 HD-HLANA09 kernel: ide0 at 0xbffef8-0xbffeff,0xbffef6 on irq 17

Sep 16 23:39:16 HD-HLANA09 kernel: hda: 234493056 sectors (120060 MB) w/2048KiB

Cache, CHS=14596/255/63, UDMA(100)

Sep 16 23:39:16 HD-HLANA09 kernel: Partition check:

Sep 16 23:39:16 HD-HLANA09 kernel:  hda: hda1 hda2 hda3

Sep 16 23:39:16 HD-HLANA09 kernel: FLASHDISK:Initialized [STMICRO M29W320DT]

Sep 16 23:39:16 HD-HLANA09 kernel: Linux Tulip driver version 0.9.15-pre9 (Nov

6, 2001)

Sep 16 23:39:16 HD-HLANA09 kernel: tulip0:  MII transceiver #1 config 3100

status 7849 advertising 05e1.

Sep 16 23:39:16 HD-HLANA09 kernel: eth0: ADMtek Comet rev 17 at 0xbfff00,

00:07:40:A4:BA:09, IRQ 16.

Sep 16 23:39:16 HD-HLANA09 kernel: SCSI subsystem driver Revision: 1.00

Sep 16 23:39:16 HD-HLANA09 kernel: request_module[scsi_hostadapter]: Root fs not

mounted

Sep 16 23:39:16 HD-HLANA09 kernel: request_module[scsi_hostadapter]: Root fs not

mounted

Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: registered new driver usbdevfs

Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: registered new driver hub

Sep 16 23:39:16 HD-HLANA09 kernel: hcd.c: ehci-hcd @ 00:0e.2, PCI device

1033:00e0 (NEC Corporation)

Sep 16 23:39:16 HD-HLANA09 kernel: hcd.c: irq 19, pci mem c5000f00

Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: new USB bus registered, assigned bus

number 1

Sep 16 23:39:16 HD-HLANA09 kernel: hcd/ehci-hcd.c: USB 2.0 support enabled, EHCI

rev 1. 0

Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: USB hub found

Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: 5 ports detected

Sep 16 23:39:16 HD-HLANA09 kernel: usb-ohci.c: USB OHCI at membase 0xc5002000,

IRQ 19

Sep 16 23:39:16 HD-HLANA09 kernel: usb-ohci.c: usb-00:0e.0, NEC Corporation USB

Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: new USB bus registered, assigned bus

number 2

Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: USB hub found

Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: 3 ports detected

Sep 16 23:39:16 HD-HLANA09 kernel: usb-ohci.c: USB OHCI at membase 0xc5004000,

IRQ 19

Sep 16 23:39:16 HD-HLANA09 kernel: usb-ohci.c: usb-00:0e.1, NEC Corporation USB

(#2)

Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: new USB bus registered, assigned bus

number 3

Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: USB hub found

Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: 2 ports detected

Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: registered new driver usblp

Sep 16 23:39:16 HD-HLANA09 kernel: printer.c: v0.11: USB Printer Device Class

driver

Sep 16 23:39:16 HD-HLANA09 kernel: Initializing USB Mass Storage driver...

Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: registered new driver usb-storage

Sep 16 23:39:16 HD-HLANA09 kernel: USB Mass Storage support registered.

Sep 16 23:39:16 HD-HLANA09 kernel: NET4: Linux TCP/IP 1.0 for NET4.0

Sep 16 23:39:16 HD-HLANA09 kernel: IP Protocols: ICMP, UDP, TCP, IGMP

Sep 16 23:39:16 HD-HLANA09 kernel: IP: routing cache hash table of 512 buckets,

4Kbytes

Sep 16 23:39:16 HD-HLANA09 kernel: TCP: Hash tables configured (established 4096

bind 4096)

Sep 16 23:39:16 HD-HLANA09 kernel: NET4: Unix domain sockets 1.0/SMP for Linux

NET4.0.

Sep 16 23:39:16 HD-HLANA09 kernel: NET4: AppleTalk 0.18a for Linux NET4.0

Sep 16 23:39:16 HD-HLANA09 kernel: RAMDISK: Compressed image found at block 0

Sep 16 23:39:16 HD-HLANA09 kernel: Freeing initrd memory: 1993k freed

Sep 16 23:39:16 HD-HLANA09 kernel: fff70000:4f4b4f4b

Sep 16 23:39:16 HD-HLANA09 kernel: VFS: Mounted root (ext2 filesystem).

Sep 16 23:39:16 HD-HLANA09 kernel: fff70000:4f4b4f4b

Sep 16 23:39:16 HD-HLANA09 kernel: kjournald starting.  Commit interval 5

seconds

Sep 16 23:39:16 HD-HLANA09 kernel: EXT3-fs: mounted filesystem with ordered data

mode.

Sep 16 23:39:16 HD-HLANA09 kernel: VFS: Mounted root (ext3 filesystem) readonly.

Sep 16 23:39:16 HD-HLANA09 kernel: change_root: old root has d_count=2

Sep 16 23:39:16 HD-HLANA09 kernel: Trying to unmount old root ... okay

Sep 16 23:39:16 HD-HLANA09 kernel: Freeing unused kernel memory: 192k init

Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: new USB device 00:0e.2-2, assigned

address 2

Sep 16 23:39:16 HD-HLANA09 kernel: scsi0 : SCSI emulation for USB Mass Storage

devices

Sep 16 23:39:16 HD-HLANA09 kernel:   Vendor: WDC WD25  Model: 00JB-00GVA0      

Rev:  0 0

Sep 16 23:39:16 HD-HLANA09 kernel:   Type:   Direct-Access                     

ANSI SCSI revision: 02

Sep 16 23:39:16 HD-HLANA09 kernel: Attached scsi disk sda at scsi0, channel 0,

id 0, lun 0

Sep 16 23:39:16 HD-HLANA09 kernel: SCSI device sda: 488397168 512-byte hdwr

sectors (250059 MB)

Sep 16 23:39:16 HD-HLANA09 kernel:  sda:<7>usb-storage: task-switchin

Sep 16 23:39:16 HD-HLANA09 kernel:  sda1

Sep 16 23:39:16 HD-HLANA09 kernel: Adding Swap: 257032k swap-space (priority -1)

Sep 16 23:39:16 HD-HLANA09 kernel: EXT3 FS 2.4-0.9.17, 10 Jan 2002 on ide0(3,1),

internal journal

Sep 16 23:39:16 HD-HLANA09 kernel: kjournald starting.  Commit interval 5

seconds

Sep 16 23:39:16 HD-HLANA09 kernel: EXT3-fs warning: checktime reached, running

e2fsck is recommended

Sep 16 23:39:16 HD-HLANA09 kernel: EXT3 FS 2.4-0.9.17, 10 Jan 2002 on ide0(3,3),

internal journal

Sep 16 23:39:16 HD-HLANA09 kernel: EXT3-fs: mounted filesystem with ordered data

mode.

Sep 16 23:39:16 HD-HLANA09 init: Entering runlevel: 2

Sep 16 23:39:17 HD-HLANA09 modprobe: modprobe: Can't locate module printer

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: beep is defined as "off"

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: usb device is added

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: vendor:0x0 product:0x0 Dclass:0x9

Dsubclass:0x0 Dprotocol:0x0 Iclass:0x0 Isubclass:0x0 Iprotocol:0x0

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: The device match nothing in

mapfile

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: Please change MODULE in following

line to the appropriate module name, add it to /etc/murasaki/murasaki.usbmap

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: MODULE 0x0010 0x0 0x0 0 0 0x9 0x0

0x0 0x0 0x0 0x0 0x00000000

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: beep is defined as "off"

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: usb device is added

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: vendor:0x0 product:0x0 Dclass:0x9

Dsubclass:0x0 Dprotocol:0x0 Iclass:0x0 Isubclass:0x0 Iprotocol:0x0

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: The device match nothing in

mapfile

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: Please change MODULE in following

line to the appropriate module name, add it to /etc/murasaki/murasaki.usbmap

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: MODULE 0x0010 0x0 0x0 0 0 0x9 0x0

0x0 0x0 0x0 0x0 0x00000000

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: beep is defined as "off"

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: usb device is added

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: vendor:0x0 product:0x0 Dclass:0x9

Dsubclass:0x0 Dprotocol:0x0 Iclass:0x0 Isubclass:0x0 Iprotocol:0x0

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: The device match nothing in

mapfile

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: Please change MODULE in following

line to the appropriate module name, add it to /etc/murasaki/murasaki.usbmap

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: MODULE 0x0010 0x0 0x0 0 0 0x9 0x0

0x0 0x0 0x0 0x0 0x00000000

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: beep is defined as "off"

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: usb device is added

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: vendor:0x6e1 product:0xd835

Dclass:0x0 Dsubclass:0x0 Dprotocol:0x0 Iclass:0x8 Isubclass:0x6 Iprotocol:0x32

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: The device match nothing in

mapfile

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: Please change MODULE in following

line to the appropriate module name, add it to /etc/murasaki/murasaki.usbmap

Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: MODULE 0x0383 0x6e1 0xd835 0 0 0x0

0x0 0x0 0x8 0x6 0x32 0x00000000

Sep 16 23:39:17 HD-HLANA09 kernel: FAT: bogus logical sector size 0

Sep 16 23:39:17 HD-HLANA09 kernel: VFS: Can't find a valid FAT filesystem on dev

08:01.

Sep 16 23:39:17 HD-HLANA09 kernel: NTFS driver v1.1.21 [Flags: R/O MODULE]

Sep 16 23:39:17 HD-HLANA09 kernel: kjournald starting.  Commit interval 5

seconds

Sep 16 23:39:17 HD-HLANA09 kernel: EXT3 FS 2.4-0.9.17, 10 Jan 2002 on sd(8,1),

internal journal

Sep 16 23:39:17 HD-HLANA09 kernel: EXT3-fs: mounted filesystem with ordered data

mode.

Sep 16 23:39:22 HD-HLANA09 ap_serd[215]: startup daemon

Sep 16 23:39:22 HD-HLANA09 ap_serd[215]: assigned intreface eth0

Sep 16 23:39:22 HD-HLANA09 ap_serd[215]: standalone mode



Derek

Done all this for LSII - how do you actually start the music server?







--- In LinkStation_General@yahoogroups.com, "Thom Mason"

<t.e.mason@c...> wrote:

> dtaubert on the Roku Forums figured out a backdoor into the

> Linkstation (see http://www.rokulabs.com/forums/viewtopic.php?

t=186):

>

> The 1.44 firmware update has telnet access enabled.  You can login

> using a user account setup through the Admin web interface.

> dtauberts poking around revealed:

>

> USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME

> COMMAND

> root       373  0.0  0.8  2132  536 ?        SN   Sep16

> 0:01 /usr/sbin/thttpd -C /etc/thttpd.conf

>

> $ cat /etc/thttpd.conf

> dir=/www

> user=root

> logfile=/var/log/thttpd.log

> pidfile=/var/run/thttpd.pid

> port=80

> charset=

> cgipat=/cgi-bin*/*

>

> $ ls -ald /www

> drwxrwxrwx    9 root     root         1024 Sep 17 15:40 /www

>

> In other words:

>

> 1) The http server is run as root.

> 2) The cgipat contains a wildcard in the directory name.

> 3) The /www directory is writable by all.

>

> mkdir /www/cgi-bin3 and plop a script in (it will run as root).

You

> can either make a scipt to change access for /etc/passwd:

>

> #! /bin/sh

> chmod 666 /etc/passwd

>

> and then paste it into you browser:

>

> http://buffalo/cgi-bin3/accesspass.sh

>

> making sure the script is set as executable or make a script

copying

> a modified passwd file to /etc/passwd.

>

> You can then change the root password to a known encrypted one such

> as the one for the user account you used to gain telnet access.

> vi works although you may need to set TERM to vt100 since there

> doesn't appear to be a termcap entry for xterm (depends on you

> telnet client emulation).

>

> Thom

Media server up and running - just got to sort shoutcast out



--- In LinkStation_General@yahoogroups.com, "cs_h1" <cs_h1@y...>

wrote:

> Done all this for LSII - how do you actually start the music server?

>

>

>

> --- In LinkStation_General@yahoogroups.com, "Thom Mason"

> <t.e.mason@c...> wrote:

> > dtaubert on the Roku Forums figured out a backdoor into the

> > Linkstation (see http://www.rokulabs.com/forums/viewtopic.php?

> t=186):

> >

> > The 1.44 firmware update has telnet access enabled.  You can

login

> > using a user account setup through the Admin web interface.

> > dtauberts poking around revealed:

> >

> > USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME

> > COMMAND

> > root       373  0.0  0.8  2132  536 ?        SN   Sep16

> > 0:01 /usr/sbin/thttpd -C /etc/thttpd.conf

> >

> > $ cat /etc/thttpd.conf

> > dir=/www

> > user=root

> > logfile=/var/log/thttpd.log

> > pidfile=/var/run/thttpd.pid

> > port=80

> > charset=

> > cgipat=/cgi-bin*/*

> >

> > $ ls -ald /www

> > drwxrwxrwx    9 root     root         1024 Sep 17 15:40 /www

> >

> > In other words:

> >

> > 1) The http server is run as root.

> > 2) The cgipat contains a wildcard in the directory name.

> > 3) The /www directory is writable by all.

> >

> > mkdir /www/cgi-bin3 and plop a script in (it will run as root).

> You

> > can either make a scipt to change access for /etc/passwd:

> >

> > #! /bin/sh

> > chmod 666 /etc/passwd

> >

> > and then paste it into you browser:

> >

> > http://buffalo/cgi-bin3/accesspass.sh

> >

> > making sure the script is set as executable or make a script

> copying

> > a modified passwd file to /etc/passwd.

> >

> > You can then change the root password to a known encrypted one

such

> > as the one for the user account you used to gain telnet access.

> > vi works although you may need to set TERM to vt100 since there

> > doesn't appear to be a termcap entry for xterm (depends on you

> > telnet client emulation).

> >

> > Thom