-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security Advisory

Default Root Password in Infrant (now Netgear) ReadyNAS "RAIDiator"

Release Date:

August 13, 2007

Authors:
Brian Chapados <brian@chapados.org>
Felix Domke <tmbinc@elitedvb.net>

Timeline:
Jul 25, 2007 - discovery
Jul 29, 2007 - vendor notification
Aug 6, 2007 - vendor releases fix (ToggleSSH)
Aug 8, 2007 - vendor releases "advisory" [1]
Aug 13, 2007 - public release of this advisory

Severity:
Critical (Remote Root)

Vendor:
Infrant (now Netgear)

Systems Affected:

ReadyNAS devices with RAIDiator 3.01c1-p1, 3.01c1-p6, possibly more

Systems Not Affected:
ReadyNAS devices with RAIDiator 4.0, which disables the SSH-daemon
by default, and lets you change the root password when enabling it.

Overview:
The ReadyNAS is a Network-Attached-Storage (NAS) device based on Linux
2.4.20 and debian-sparc with a custom frontend for management. Out of
the box, the user cannot log in into a shell on the device. There are
two enabled users, one called "admin" (with the default password
"infrant1", which is documented), and another one, "root", which is not
documented. The user "admin" does not have a shell assigned, so it
cannot log in interactively. It is used only for the web frontend.

The root password is generated on each boot with a hardcoded algorithm,
using a hash of the unique Ethernet MAC-address, the software version
number and a shared secret. The root password cannot be changed
permanently, it will be "restored" after each bootup.

The secure shell daemon (sshd) is enabled by default, and cannot be
disabled. The vendor states that this is required to be enabled for fix
problems remotely, in case the user lost its web password, and that
it is not a security risk because the user must first forward access to
port 22 on his router[2]. The latter of course is only true if a.) the
attacker comes from the internet, and b.) the NAS is behind a NAT router.

Technical details:

The ReadyNAS-devices employs a proprietary embedded SoC design, based on
the Infrant NSP IT3107, which is based on a Leon SPARC processor design.
The device boots from its internal flash. The Linux kernel and
initrd-image is contained in flash (and also downloadable from the
Infrant website in order to upgrade devices), but are encrypted with an
on-chip 3DES-based encryption algorithm. Without knowing this key, or
having access to the device, it's not possible to change the initrd image.

The initrd image will look for installed harddisks, and initialize them.
If an uninitialized harddisk is found, it will be added to the RAID
array, and a part of the harddisk will be used for a root filesystem,
which is initialized from a tarball stored in flash.

After the rootfs has been mounted, some consistency checks are done, and
several important configuration files will be "backed up" from encrypted
versions. That means that it's not possible to change arbitrary files,
for examples by mounting a harddrive externally, because they will be
replaced by their backup version on the next boot. The backup files are
encrypted, so they cannot be changed without being able to encrypt these
files.

A part of the /linuxrc file from the initrd image, which is executed
first on bootup, is:

- -------------
  SEED1=`/sysroot/sbin/ifconfig eth0|grep HWaddr|sed -e 's/.*HWaddr //'
- -e 's/ //g'`
  SEED2=`cut -f2 -d= /sysroot/etc/raidiator_version |cut -f1 -d,`
[*EDIT*: removed SEED3 as friendly requested by vendor]
  echo "root:`echo \"$SEED1 $SEED2 $SEED3\" | md5sum | cut -f1 -d' '`" |
chpasswd
  # TAKE ME OUT!!
  [ -s /sysroot/.os_passwd ] && echo "root:`/sysroot/usr/bin/head -1
/sysroot/.os_passwd`" | chpasswd
  ###############
  /sysroot/bin/mv /etc/passwd /sysroot/etc/passwd 2>$ERR
  rm -rf /sysroot/etc/hosts_equiv /sysroot/root/.rhosts
/sysroot/root/.ssh/* 2>$ERR
- -------------

This means that the root password will be initialized with the md5sum of
the following components:

a.) MAC address, as extracted from ifconfig,
b.) the software version number, read from /etc/raidiator_version,
c.) a shared secret string contained in SEED3.

Even if the root password is unique per device (due to the MAC address
being part of the hash), it cannot be considered as secret. First, if
the NAS device is on the local LAN, one can easily query the MAC address
with an ARP request. Second, the default hostname, which is also
displayed in the https-based interface (even for non-authorized users),
is "nas-xx-yy-zz" where xx,yy,zz are the last 3 octets of the MAC address.

Finally, the software revision can be easily determined using a
brute-force approach.

Knowing this, an attacker can login into remote ReadyNAS devices, and
access all data on the system.

Vendor Status:
After contact with the vendor, the vendor released a fix in less than a
week, together with the beta of RAIDiator 4.0, which allows a user
to enable root access with a changable password.
The vendor also released an advisory [1].

Recommendation:

Use the 'ToggleSSH'-addon released by the vendor to disable SSH access.

[1] http://www.infrant.com/forum/viewtopic.php?t=12313
[2] http://www.infrant.com/forum/viewtopic.php?t=3366&start=30
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFGwFQKNPfnQ8mzczcRAvvIAKCWLq4ohG1NpM8XjfhunMhf42jB9gCghkRw
NoTv1BvrOpj9XjarC2/VR1Q=
=I+rQ
-----END PGP SIGNATURE-----