Ah the SanDisk media drive. a pocket drive that is a wifi router,media server,and a fairly useful USB device. Sadly, it's also ripe with security issues that the average user may not know about......
So our target today: sandisk media drive 64GB running firmware 3.21(the latest revision as of this writing...)
to begin with,lets go over some already knowns about this device that have been found by the community:
it has a WIDE OPEN ftp server that can be access by anyone either on the same network as the device or connected via wifi directly to it
ssh is locked down, but there is a telnet server ready to go for your terminal.
it runs a linux embedded environment (busybox)
it has its own web interface for management via web browsers.
now this may not seem like much,but the web portal and the telnet will handle a large amount of what i needed to do in order to break this device open and get Root, along with more useful information to write a custom firmware image for it.
the first attack was to set up the device normally,setting a admin password (or keep it the default: password) using this, we log into the telnet server with user: admin password:admin password from portal
now this will land you in the file system at /var/ftp/storage .you are not chrooted,so you can browse the file system to get a feel of its structure (the important locations are /var/ftp/storage for the local storage and /var/ftp/storage/card for the additional SD card, everything else is partition in the protected sector of the flash storage)
surprisingly you can /cp most files in /var,however the files i was interested in was shadow. its not copy protected form admin, so it went to the local computer for some cracking...
in shadow you will find the following:(password hashes are --- out for what little security the device has...)
[spoiler]
root:---:0:0:99999:7::: bin:*:11851:0:99999:7::: daemon:*:11851:0:99999:7::: adm:*:11851:0:99999:7::: lp:*:11851:0:99999:7::: sync:*:11851:0:99999:7::: shutdown:*:11851:0:99999:7::: halt:*:11851:0:99999:7::: mail:*:11851:0:99999:7::: news:*:11851:0:99999:7::: uucp:*:11851:0:99999:7::: operator:*:11851:0:99999:7::: games:*:11851:0:99999:7::: gopher:*:11851:0:99999:7::: ftp:*:11851:0:99999:7::: nobody:*:11851:0:99999:7::: sshd:!!:11851:0:99999:7::: mailnull:!!:11851:0:99999:7::: xfs:!!:11851:0:99999:7::: ntp:!!:11851:0:99999:7::: rpc:!!:11851:0:99999:7::: gdm:!!:11851:0:99999:7::: rpcuser:!!:11851:0:99999:7::: nfsnobody:!!:11851:0:99999:7::: nscd:!!:11851:0:99999:7::: ident:!!:11851:0:99999:7::: radvd:!!:11851:0:99999:7::: postgres:!!:11851:0:99999:7::: apache:!!:11851:0:99999:7::: squid:!!:11851:0:99999:7::: named:!!:11851:0:99999:7::: pcap:!!:11851:0:99999:7::: amanda:!!:11851:0:99999:7::: junkbust:!!:11851:0:99999:7::: mailman:!!:11851:0:99999:7::: mysql:!!:11851:0:99999:7::: ldap:!!:11851:0:99999:7::: pvm:!!:11851:0:99999:7::: user:---.:11851:0:99999:7::: messagebus:!:15:0:99999:7::: haldaemon:!:15:0:99999:7::: admin:---:0:0:99999:7::: guest:---.:15744:0:99999:7:::
gave this file to john to crack open, which took 12 min to crack root....
my root password was 7 characters (stranded alphanumeric, nothing special)
a interesting fact: the admin password is truncated to 8 characters. so if you know the first 8, you can log in
now for some juicy info...
it has a 1 core freescale i.mx502 capable of running at 200MHz
has LPDDR1 ram totaling 128MB
uses WG7311-2A wifi chipset
ftp server: pure-ftpd V1.0.36-20121015
UPnP: miniupnpd V1.6.20120406
uses U-Boot V1.2.5 for installing and updating firmware.
web server is a Nimbus V1.1.8
now for the holes i found:
ftp is wide open. no password to log in and no SFTP. careful of your files
in /nimbus, the settings.db is a SQLite database with....password, password hint, and answer in CLEARTEXT
root is standard 7 charaters long. a bruteforce attack takes a few minutes, but is possible and easy
they may have went with a universal root password. both drives i have have the SAME root password
you can reflash the device with alternate firmware from the app by simply placing the update img in the ftp base directory and running the updater from the app ( will natrally remove the set file so a user may not know what has happened)
now for some hackability and modding stats im after:
it uses u-boot to manage all the updates.
it has a built in hard set firmware. if a flash fails, it will reset to that image
webroot is /nimbus
the base os is busybox modified by sandisk