When CompUSA was slowly dying, my friend Chris Heien and I kept waiting for the right moment to swoop in at the sweet spot between value and desperation to acquire the HP MediaVault m2040: a 2-bay Network Attached Storage (NAS) device. NAS devices sit on your network and act as a file server. Since our house network runs to every room (via LinkSys Ethernet-over-Power adaptors and 802.11n/g clouds), a home server was essential for sharing large files between roommates and devices.

The HP MediaVault m2040 came with a 500 GB drive, to which I added another 500 GB. With some partitions in RAID, the usable space was about 0.8 TB. This was a very decent NAS (especially for the price) when I purchased it. It was “hackable” with a good-sized developer community (led by one of the original MediaVault engineers), and most importantly, it included a Digital Living Network Alliance certification; meaning it could stream music and video to media players on the network (like the PS3 or even Windows Media Player on Vista).

When I made the purchase, I knew eventually that the day would come when it would not be enough. Unfortunately, the honeymood was over quicker than anticipated. The design flaws of the first-generation MediaVault are sizable:

• Due to un-expandable RAM configuration, and the fact that the native partitioning scheme was ReiserFS, the MediaVault can only hold a file allocation table map for about 1.25 TB. Meaning, even if I put two 2TB drives in, it would still only recognize 1.25TB instead of 4TB.
• Due to an underwhelming (300 MHz MIPS) processor, the Gigabit ethernet connection performed very poorly; actually a little worse than Fast Ethernet (100 MB/sec).
• Also due to the processor type (MIPS), the number of ipkg packages (basically server plugins) was low, and it was hard to make new ones.
• Although expandable by using USB hard drives as additional storage, it would never power-down these drives, burning them out much quicker (and being very loud, constantly, when connected).
• Because of the slow networking, the PS3 would randomly display a network error while streaming video. Of my complaints, this is the one I hate most because this is the one I had to see every time I tried to enjoy some video!

I recently was able to save up some money with the intent of purchasing a new NAS. About three weeks ago, I took the plunge and ordered from NewEgg:

• Promise SmartStor NS4600 NAS
• HITACHI Deskstar HD32000 IDK/7K 2TB 7200 RPM SATA 3.0Gb/s 3.5″ Internal Hard Drive (Retail Edition)

This, in short, is a great system. The SmartStor4600 uses less power and has more available drive bays (four) than the MediaVault. It runs quieter, with a variable-speed fan, and it addresses all of my concerns with the MediaVault:

• No hard limit on capacity. I’m using a fast (but not super-fast) 2TB drive in one slot, which is more than twice the capacity of the MediaVault.
• “The snozberries taste like snozberries,” and the Gigabit performs like Gigabit!
• It’s expandable via an official plugin system (currently running a “Downloader” engine (explained later), iTunes streaming server, and the—most essential—DLNA server). I’ve actually written the SmartStor project manager in regards to maybe getting a software development kit. I would like to write a plugin for downloading files from Usenet using NZB files. We’ll see where that goes.
• Spin-down of USB drives is (supposedly) supported (haven’t had a chance to check this one out).
• No errors while streaming HD video to the PS3!

I am in home-entertainment Nirvana.

But I like to fully explore my devices; so recently I’ve been looking for a way to get into the device from a lower level. A port scan revealed telnet running on port 2380, prompting for a password. My experience with NAS devices is that they are usually running an embedded-level Linux called BusyBox, with as few user accounts as possible. This means that most processes are probably running as root.

I started with the built-in web server, which is advertised for being suitable for running your small office intranet. They seem to have thought of this, because even though the lighttpd web service provides a php installation, it has been hardened with the following in the PHP configuration file (php.ini):

disable_functions = phpinfo,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

This prevents writing a simple php one-liner to reset the root password.

Luckily, there is an easily-exploitable security hole in the NS4600. It is the same hole that was in the predecessor product, the NS4300. Namely, the built-in “Downloader” plugin (a customized version of MLDonkey) can be cajoled to run shell commands on behalf of the root user. It’s actually pretty easy, thanks to work done on the previous model by Ilya Obshadko.

1. Update to the latest firmware.
2. In the Promise Advanced Storage Manager (http://smartstor/admin/), navigate to “File & Print” then “Application Plugins.”
3. Click the “Enable” button on the line for “BT Server.”
4. Navigate to http://smartstor:4080/ to access the MLDonkey web interface. It should say “Welcome to MLDonkey 2.9.1″ in the bottom pane, and have a toolbar pane at the top of the screen.
5. In the top toolbar pane, enter the following commands and press Enter, one at a time:
   1. set allow_any_command true
   2. ! /bin/cp /etc/crontab /VOLUME1/PUBLIC/crontab
   3. ! /bin/cp /etc/sudoers /VOLUME1/PUBLIC/sudoers
   4. ! /bin/cp /etc/telnet.user /VOLUME1/PUBLIC/telnet.user
   5. ! /bin/chmod 777 /VOLUME1/PUBLIC/crontab
   6. ! /bin/chmod 777 /VOLUME1/PUBLIC/sudoers
   7. ! /bin/chmod 777 /VOLUME1/PUBLIC/telnet.user
   8. ! /bin/echo ‘admin ALL=(ALL) NOPASSWD: ALL’ >> /VOLUME1/PUBLIC/sudoers
   9. ! /bin/echo ‘admin’ >> /VOLUME1/PUBLIC/telnet.user
6. Then connect to your SmartStor’s PUBLIC share, and edit the crontab file, removing the line that contains “chkhttpd” in it. (This could probably be made into a awk/sed one-liner, but my regex-fu is not that strong).
7. Returning to the MLDonkey interface, input the following commands to copy the newly-edited config files back to the system locations, overwriting the originals:
   1. ! /bin/cp /VOLUME1/PUBLIC/crontab /etc/
   2. ! /bin/cp /VOLUME1/PUBLIC/sudoers /etc/
   3. ! /bin/cp /VOLUME1/PUBLIC/telnet.user /etc/
8. Fire up trusty old telnet with “telnet smartstor 2380″ at a terminal, wait a few moments, press enter (it’s asking for the root password, which we don’t know—it’s set at the factory, in the firmware), then type in “admin” for the username, and whatever password you use for your admin account (“admin” by default).
9. You should now have a nice shell prompt. Issue “sudo passwd root”, then type a new root password a couple of times—and ta-da!—you’re in like Flynn! Just exit your shell and reconnect as root.

The only bad part about this is that step 7 must be done each time the device reboots, because the crontab is regenerated from firmware on boot. Ilya has written an application plugin for auto-enabling telnet access. Unfortunately, the plugin format is different between the NS4300 and NS4600, so it doesn’t work for me.

By having superuser access to the device secured, I can now work on extending it to do more.