Default Root Password in Infrant (now Netgear) ReadyNAS "RAIDiator"

2007.08.16
Credit: Felix Domke
Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Security Advisory Default Root Password in Infrant (now Netgear) ReadyNAS "RAIDiator" Release Date: August 13, 2007 Authors: Brian Chapados <brian (at) chapados (dot) org [email concealed]> Felix Domke <tmbinc (at) elitedvb (dot) net [email concealed]> Timeline: Jul 25, 2007 - discovery Jul 29, 2007 - vendor notification Aug 6, 2007 - vendor releases fix (ToggleSSH) Aug 8, 2007 - vendor releases "advisory" [1] Aug 13, 2007 - public release of this advisory Severity: Critical (Remote Root) Vendor: Infrant (now Netgear) Systems Affected: ReadyNAS devices with RAIDiator 3.01c1-p1, 3.01c1-p6, possibly more Systems Not Affected: ReadyNAS devices with RAIDiator 4.0, which disables the SSH-daemon by default, and lets you change the root password when enabling it. Overview: The ReadyNAS is a Network-Attached-Storage (NAS) device based on Linux 2.4.20 and debian-sparc with a custom frontend for management. Out of the box, the user cannot log in into a shell on the device. There are two enabled users, one called "admin" (with the default password "infrant1", which is documented), and another one, "root", which is not documented. The user "admin" does not have a shell assigned, so it cannot log in interactively. It is used only for the web frontend. The root password is generated on each boot with a hardcoded algorithm, using a hash of the unique Ethernet MAC-address, the software version number and a shared secret. The root password cannot be changed permanently, it will be "restored" after each bootup. The secure shell daemon (sshd) is enabled by default, and cannot be disabled. The vendor states that this is required to be enabled for fix problems remotely, in case the user lost its web password, and that it is not a security risk because the user must first forward access to port 22 on his router[2]. The latter of course is only true if a.) the attacker comes from the internet, and b.) the NAS is behind a NAT router. Technical details: The ReadyNAS-devices employs a proprietary embedded SoC design, based on the Infrant NSP IT3107, which is based on a Leon SPARC processor design. The device boots from its internal flash. The Linux kernel and initrd-image is contained in flash (and also downloadable from the Infrant website in order to upgrade devices), but are encrypted with an on-chip 3DES-based encryption algorithm. Without knowing this key, or having access to the device, it's not possible to change the initrd image. The initrd image will look for installed harddisks, and initialize them. If an uninitialized harddisk is found, it will be added to the RAID array, and a part of the harddisk will be used for a root filesystem, which is initialized from a tarball stored in flash. After the rootfs has been mounted, some consistency checks are done, and several important configuration files will be "backed up" from encrypted versions. That means that it's not possible to change arbitrary files, for examples by mounting a harddrive externally, because they will be replaced by their backup version on the next boot. The backup files are encrypted, so they cannot be changed without being able to encrypt these files. A part of the /linuxrc file from the initrd image, which is executed first on bootup, is: - ------------- SEED1=`/sysroot/sbin/ifconfig eth0|grep HWaddr|sed -e 's/.*HWaddr //' - -e 's/ //g'` SEED2=`cut -f2 -d= /sysroot/etc/raidiator_version |cut -f1 -d,` [*EDIT*: removed SEED3 as friendly requested by vendor] echo "root:`echo "$SEED1 $SEED2 $SEED3" | md5sum | cut -f1 -d' '`" | chpasswd # TAKE ME OUT!! [ -s /sysroot/.os_passwd ] && echo "root:`/sysroot/usr/bin/head -1 /sysroot/.os_passwd`" | chpasswd ############### /sysroot/bin/mv /etc/passwd /sysroot/etc/passwd 2>$ERR rm -rf /sysroot/etc/hosts_equiv /sysroot/root/.rhosts /sysroot/root/.ssh/* 2>$ERR - ------------- This means that the root password will be initialized with the md5sum of the following components: a.) MAC address, as extracted from ifconfig, b.) the software version number, read from /etc/raidiator_version, c.) a shared secret string contained in SEED3. Even if the root password is unique per device (due to the MAC address being part of the hash), it cannot be considered as secret. First, if the NAS device is on the local LAN, one can easily query the MAC address with an ARP request. Second, the default hostname, which is also displayed in the https-based interface (even for non-authorized users), is "nas-xx-yy-zz" where xx,yy,zz are the last 3 octets of the MAC address. Finally, the software revision can be easily determined using a brute-force approach. Knowing this, an attacker can login into remote ReadyNAS devices, and access all data on the system. Vendor Status: After contact with the vendor, the vendor released a fix in less than a week, together with the beta of RAIDiator 4.0, which allows a user to enable root access with a changable password. The vendor also released an advisory [1]. Recommendation: Use the 'ToggleSSH'-addon released by the vendor to disable SSH access. [1] http://www.infrant.com/forum/viewtopic.php?t=12313 [2] http://www.infrant.com/forum/viewtopic.php?t=3366&start=30 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFGwFQKNPfnQ8mzczcRAvvIAKCWLq4ohG1NpM8XjfhunMhf42jB9gCghkRw NoTv1BvrOpj9XjarC2/VR1Q= =I+rQ -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top