Under The Covers
Figure 16 shows the motherboard of the 150d.
Figure 16: Main Board
Iomega specifies the processor of the 150d as being a Freescale 8347 running at 400MHz with 128MB of RAM using a Vitesee 8201 chip for Ethernet. The SATA support is provided by a Silicon Image 3114 chip, and the USB support is provided by SMSC 2504 controller.
Internally, Iomega specs that the box runs a Linux 2.6.13 kernel, and also provides GPL source code on the installation CD. But I wanted to poke around a bit to see how the box was internally organized, so I started looking for a way to get visibility into the operating system.
To bypass this, I redirected my browser to my own HTTP proxy that let me edit all parameters sent to the box. Using this technique, I specified the directory shown in Figure 17, which exported the very top level of the operating system directory.
Figure 17: Hacked Share Name
Now I could mount this new share and roam around the operating system tree viewing boot scripts, binaries, the password file, etc. This showed me typical components such as Busybox for utilities, Samba for Windows sharing, vsftp for ftp support, etc. But I wasn't able to view everything because I only had the privilege of a standard user.
To elevate my privilege, I needed to look further. Another common error developers make is insufficient validation of data entered into a form. Iomega made this mistake when processing the input entered into the Email Alert form. I found that by using "back ticks" I could embed an arbitrary command into the email address and Iomega would dutifully pass this on to a command shell. Also, when I executed a command to list all of the running processes, I found that this command was executed as the "root" user, another "No-No" for developers (Figure 18).
Figure 18: Running my command as root
Game over. Now I could change the password file to give my user root privileges, execute my own scripts, edit any file, etc. Note that in order to do what I did, I needed to have the administrator password to start with, so this is not a wide-open vulnerability. But also remember that administration has to be done over an insecure HTTP connection instead of a secure HTTPS connection, so the administrator password could be exposed to a determined local user.
I found the 150d to be a powerful NAS, with decent performance. The user interface is well designed and the RAID modes provide a measure of protection against disk failure. The USB ports give the ability to expand storage and also to share a printer to the network.
This feature set is fairly completeas long as you're not looking for media servingbut not as extensive as some competing products such as the Infrant ReadyNAS NV. The fact that it supports Linux, Apple and Microsoft network file systems is a plus, as is its Active Directory support.
Overall, I would recommend the 150d if you're a small business administrator looking for a cost-effective way to add controlled storage to a heterogeneous network.