Hacking the LaCie ‘Big Disk’ Ethernet Disk

Background

Our choice was a clearance sale example of a 1 TB LaCie Ethernet Big Disk, with Gigabit Ethernet & USB 2.0 connectivity. There is also a US link for the LaCie Ethernet Big Disk.

Status

I attached the primary drive (based on a guess, i used the drive partly covered by the PCB Circuit Board) to my PC and fired up OpenSUSE 10.3. Using the curses version of yast, i went into System –> Partitioner. This showed the following….

│Device   │    Size    │ F │Type          │ Mount ...
│/dev/sdc │    465.7 GB│   │ST3500630AS   │
│/dev/sdc1│    980.5 MB│   │Extended      │
│/dev/sdc2│    464.8 GB│   │Linux native  │
│/dev/sdc5│    125.4 MB│   │Linux swap    │
│/dev/sdc6│      7.8 MB│   │Linux native  │
│/dev/sdc7│      7.8 MB│   │Linux native  │
│/dev/sdc8│    125.4 MB│   │Linux native  │
│/dev/sdc9│    713.7 MB│   │Linux native  │

So now I need to have a look at these partitions…

mybox:/ # mkdir /drivec
mybox:/ # mount -a -r /dev/sdc2 /drivec
mount: unknown filesystem type ‘linux_raid_member’
…..
mybox:/ # mount -a -r /dev/sdc8 /drivec
mybox:/ # cd /drivec
mybox:/ # drivec # ls
bin boot dev etc home lib linuxrc lost+found mnt opt proc root sbin shutdown sys tmp usr var www
mybox:/drivec # cd www
mybox:/drivec/www # ls
cgi-bin css images index.html javascripts private shares
mybox:/drivec/www #

By the way, /dev/sdc9 contained a bunch of connectivity related stuff in a directory called EDMINI…. USB, dhcp lease data , etc

As for what we can do with these partitions, they have over 640 MB available between them….

mybox:/ # df -k|grep sdc
/dev/sdc8 122 79 38 68% /drivec
/dev/sdc9 703 73 595 11% /drived



Before I put everything back together again, I’ve created a new script. This script will enable access to the user running the webserver (i.e. root) by executing whatever is passed. Normally, this would expose your device and all data on it to anyone who can access the IP address. However, the LaCie ‘Big Disk’ Ethernet Disk already provides password protection to the cgi-bin/admin directory, so this is where you should store this, or any other scripts you create.

By the way, this is the script

#!/bin/sh

echo "Content-type: text/plain"
echo ""
eval $QUERY_STRING


A simple non destructive example of what you can run is…

http://192.168.1.33/cgi-bin/admin/exploit?whoami; ls -la


Useful Links

How to get full access to your LaCie Ethernet Disk Mini

Installing Debian on a LaCie Ethernet Disk mini

LaCie Ethernet Disk Mini Firmware Rollback



Note that both of the following entries refer to the LaCie Ethernet Disk 2Tb which runs Windows XP embedded. These are included for the sake of completeness.

Re-purposing the LaCie Ethernet Disk

More on the LaCie Ethernet Disk



Notes on oplocks which are implemented in Samba, the open source re-implementation of SMB/CIFS used by all Linux-based NASes.

NAS Tutorial: Oplocks and NASes

Share on FriendFeed

Follow me via RSS

SAP Search Engine

Custom Search

Recent....

• Midnight On The Coast Highway
• Easily add High Dynamic Resolution to your images
• Circumventing Internet Censorship #1
• What does this Error Message or Code mean ?
• Gmail: search for or by the first post in a conversation
• Who cares what colour Obama is ?
• Transcript of Mccain’s Concession Speech
• Transcript of Obama’s Acceptance Speech
• How do you sponsor Movember ?
• Where is your username being used ?
• Can you create your own 3D cartoon ?
• Who would Homer vote For ?
• The Simpsons Spoof The Mad Men Intro
• Converting MP4 to MP3
• Response to “Christian Lobby Welcomes ISP Filtering Moves”