Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

NAS Reviews

Under the Covers

Figure 22 shows the main board of the ix2.

Main Board
Click to enlarge image

Figure 2: ix2 Main Board

As you can see, it's pretty sparse. Most of the functionality is provided by Marvell's 88F5182 "Orion" Network Storage Processor. The two Hynix chips at the top are the 128 MB of RAM and the Spansion device on the right provides 4 MB of flash. You can't see the Ethernet chip, but if it's like all other Orion-based NASes, it's a Marvell 88E1118.

As usual, I always try to get command-line access to find out more about what makes a NAS tick. In my review of Iomega's original StorCenter Terabyte, I found that I could exploit a bug to easily share the top-level operating system directory using the web interface. Once the OS was shared, I created a startup script to fire off a telnet daemon allowing me to log in as root. Very easy.

This time, I started down the same path, but I found that Iomega had tightened up their interface quite a bit. Attempts to share anything other than the standard directories were properly caught and rejected. And since the interface was encrypted using HTTPS, I couldn't use an argument-modifying HTTP proxy to make arbitrary changes to the passed-in arguments.

Another exploit I often try is injecting shell commands using the email address specified in the alert form. I tried this and my attempts were once again caught and rejected. What to do?

One possible vulnerability I noticed during my testing was the new "search" capability. I suspected that whatever search term I put in the form would eventually be passed to a shell script on the system to do the actual work. If the search input was not properly processed to remove characters that should not be found in search terms, then it might be possible to submit Linux commands to the search function and have them processed by Linux.

Long story, short, I found that the ix2 did, in fact, have this vulnerability. Not only was I able to submit commands, but could have them reference a script that I stored on an ix2 share. By modifying the script, I was able to find daemons for both SSH and Telnet, enable a commented-out startup script for SSH, create a new privileged user, reboot, and get Linux shell root access that was persistent across reboots. (Figure 20)

Logging in to the ix2

Figure 20: Logging in to the ix2

When logged in, I found a standard embedded Linux system with 128 MB of RAM, running version 2.6.22.7 of the kernel and using common Linux apps such as busybox for utilities and Samba for file sharing. UPnP AV support was being supplied by a Twonkyvision server.

To determine how the ix2 was sending email with no SMTP server specification, I checked out the system log and saw a reference to a commercial SMTP service, authsmtp.com. Looking around for drivers, I saw support for a number of different filesystems such as xfs, ext2, FAT, etc.

Since there is a lot of GPL software in use on the ix2, Iomega should be supplying source code as required by the license. I couldn't find source to the ix2 on Iomega's web site or on the included CD. But they do have source posted for their other products, so I assume they'll make it available soon.

Since the search capability I used to hack the box is available to anyone on the network, anyone could perform the same operation without even logging in. And it would be easy to cause mischief by formatting a URL that embedded a command to do a reboot, reformat, re-initialize, password change, etc.

So I thought it only fair to report the vulnerability to Iomega before posting this review. Iomega responded quickly and has posted Version 1.1.18.37694 firmware that closes the hole.

Closing thoughts

The ix2 isn't a bad little NAS and has some unique capabilities that I haven't seen previously, most notably Bluetooth connectivity and IP camera management. And as with the original StorCenter, its price is one of the main draws. At the current low price of $422, it beats out the Maxtor Central Axis Business Edition by $60 and has a better feature set, RAID recovery and write performance, too.

The ix2 did much better than its predecessor with failure-recovery after a disk fail. But it's unfortunate that Iomega doesn't support user replacement of failed drives or at least doesn't void your warranty if you open the box to attempt data recovery before shipping it back to Iomega.

If you're looking for more features and performance and don't mind paying more, my picks would be the Qnap TS-209 or the Netgear ReadyNAS Duo. But if you're on a tight budget, can live without fancier features, are ok with mid-teen MB/s performance and want a lot of storage for the buck, then you might consider the ix2.

More NAS

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Hi!I'm owner of RT-AC3100m using a asuswrt-merlin firmware (384.17) with Entware installed on WD 1TB USB3 HDD. On router I have installed ruTorrent 3....
I recently installed an RT-AC86U (following recommendations in another thread) and it has been working great. Except... a few times in the last couple...
Is the RT-ACRH17 still being supported with firmware updates? It's been over a year since the last update and I'm wondering if this is a dead product....
I was having problems with my RT-AC3100 after four years and decided to bite the bullet and purchase a new RT-AX88U. After unwrapping and plugging int...
Hi togetherI had a working setup with my RT-AC86U to connect through OpenVPN to my network to reach clients connected to the router.Now I had to reset...

Don't Miss These

  • 1
  • 2
  • 3