DSM-G600, DNS-3xx and NSA-220 Hack Forum

jdoering wrote:

Some of the excuses for not expecting security from "low-end" devices are interesting; imagine if Vista Home Basic had an identified security bug that allowed access to any file on the system from within a LAN and MSFT didn't issue a hotfix within a few days. After all Vista Home Basic costs less that $100 dollars... most home users probably don't mind sharing all of their files within their LAN anyway; right?

High-end devices are expected to have fancy and robust features; but even low-end devices need to achieve some basic level of functionality - particularly in the area of security. With a hole like this one all of the user permission features of the DNS-323 are worthless since it doesn't actually provide user-level security at all. FTP at least can be disabled via supported mechanisms. A security bug like this should either warrant a very fast patch or a revocation of the impacted firmware version until a fixed version can be released.

-Jeff

Actually - if you get out there and take a look at what prevails you just might be in for an unpleasant surprise.

In my experience (which really does not include Vista), the average home user doesn't even have the system configured to require a sign-in (it assumes the same user every time) and passwords are considered more of a hindrance than anything else - so the average home user really does not mind sharing all of their files within their LAN - outside of the LAN is something else.

This is also quite common in small business, especially those where a work station is doing double duty as a server, and I've even found some small businesses with servers running MS Small Business Server 2003 where all users have administrative rights and know one another's passwords - I hasten to point out that this last is not through ignorance, but by choice, since in one of these cases, I set the server up myself and had it locked down and only the firm's senior partner had administrative access.

I've even seen large business with NT4 (back when NT4 was topdog) with the server administrator password at password, and an IBM AS400 system where the user's passwords all took the form of user:<name>, password:<eman> (which is something that IBM used to teach in the operator training at the time)

No - my friend - in the world of home and small business networks, security is primarily physical - and even when the system is capable of providing greater security, it is typically not utilized.

Last thing - don't forget - there's nothing to stop anyone with physical access from removing a drive and installing it elsewhere and plundering the treasure contained therein - unless you expect it to be in a locked rack cabinet, in a locked server room as well.

Last edited by fordem (2008-06-03 15:52:21)

bq041 wrote:

There is also one major flaw in your continues comparisons with Miscrosoft and the DNS.  The DNS is designed intentionally to be a server to allow others access to its files, and windows is designed as a client application, which intentionally disallows remote access to its files (with small exception).

I actuallly agree with 'fordem', he is perfectly right in his conclusion. DNS is not intended to be a secure server by any means. It is NAS which stands for Network Attached Storage. Server capabilities are a bonus to differentiate DNS-323 from competition. In other words, the ability to "hack" into DNS-323 doesn't necessarly mean it is was intended to be a secure sever.

-- Andrey

I don't see why there is still discussion about this. Being able to access all files on your DNS-323/CH3SNAS through a web browser without the option to restrict access to certain files/directories is a huge security hole which - no matter how 'accessible' the device is - needs to be fixed.

It took me less than 5 minutes to write a mail  to Conceptronic to inform them about the issue and I'm confident that they're looking into it.
I'll poke them some more if no results are seen in future firmware updates, until they do provide some sort of solution.

I agree - there's no need to discuss it.

If you have a LAN environment which includes hacker wannabees and need bulletproof security then this is not the device for you - there are many more secure devices to choose from and all with a considerably higher price tag.  This on the other hand was designed for a low security environment and priced accordingly.

It's your data, it's your money - it's your choice.

Be careful what you ask for.  They may make it so secure you won't be able to fun_plug any more.  (   That truly would be no fun!

Cheers!
bspvette86

Yes, fordem is correct.

fordem wrote:

Talk about an oxymoron - a secure backdoor for authorized users

Fordem,
Just because it's an "undocumented feature" doesn't make it a back door.  And since when have back doors been a security risk anyway???? 

Cheers!
bspvette

I should have said "undocumented feature"; but I believe that my intent in the original statement was clear anyway.

fordem wrote:

Look again buddy - I'm not the one calling it a backdoor,

For what it's worth - the very term backdoor implies unauthorized access, which in turn implies a security violation - hence my calling the previous poster's statement an oxymoron.

Fordem,
I think you missed my wink....  Maybe I should have used [sarcasm]  [/sarcasm] and lol as well.

CHEERS!
bspvette

PS: I wasn't joking about them getting the idea to remove fun_plug to secure the device.

Last edited by bspvette86 (2008-06-05 02:59:55)

A security hole is a security hole is a security hole. Which needs to be fixed.

I don't see the relevance of price in this case of a security hole being revealed. When buying a device - any device - with a built-in web-server I don't expect it to provide access to all files on it by default. I just wouldn't think of the possibility that someone would (pre)configure a device like that.
Even if so, the manufacturer should inform you about this and also provide some means (configuration file) to enable restrictions.
D-Link never told us that the NAS behaves like this, now it has to take responsibility for it.

No, I wouldn't have bought the DNS-323 for 1000 bucks. But I wouldn't have bought any other device for that kind of money either. Such a product would provide more features than I (currently) need.

(PS: If I'm not mistaken the manual even tells you that you can put your own website in the /web share in order to use the device as a web server. Which in turn could mean that you can provide access from outside your LAN. Now the security hole is exposed to the outside).


Just to put an end to this, I encourage anyone here who owns such a device and can spare 3 minutes to write an e-mail to either D-Link or Conceptronic. The more people inform them about this, the higher priority it will hopefully get.

Do your research - present your arguement from a position of knowledge - Windows Storage Server (WSS) will give you a lot less features for a lot more money, in fact, the only features that WSS has over the DNS-323 is security. in that it will integrate seamlessly in a Windows AD domain - no DHCP servers, no DNS servers, no web servers, no domain controllers, no print servers - and that will cost you quite a bit more than a 1000 - not that you care, you're not buying it - you want the security, but you're not prepared to pay for it.

Now - I'm quite sure there are other products priced in between these two that offer more security than the DNS- 323 (and possibly more features) for less than the cost of a WSS solution - which by the way is a hardware/software package only available from the likes of Dell, Gateway, HP/Compaq, IBM, IOmega, Maxtor - but you don't care you're not buying it - you want the security, but you're not prepared to pay for it.

One of the cost factors that pushes the price of a WSS solution up is the OS (IBM used to offer a WSS based on their xSeries 206 hardware, and the hardware itself retails at less than $1000) which forces the low end solutions to go open source - you want the security, you've got access to the source code, add it yourself, that's what open source is about.

So you see - you - like the original poster are standing on your soapbox preaching, without taking the time or doing the due diligence of researching the marketplace and finding out exactly what your dollar will buy you - he didn't see why he should "do their job", he went so far as to state it was software and could be a billion times more secure with no additional cost - well even software has an additional cost, as either one of you will find out if you attempt to fix it yourself.

As I have been saying from jump street, the security is available, you have to make the choice to pay for it.

By the way - unless you have a different manual to the one I have, there is no mention of hosting your own website on the DNS-323, so I think you are mistaken.

Oh - on a security hole is a security hole is a security hole .....

Consider this - anyone with physical access to the DNS-323 has complete access to your data - so that too, is a security hole.

Everyone needs to stop and take a step back for a moment.  You are preaching from a priveliged standpoint.  For most users, this is secure. 

You and I are all hackers.  We are doing things and finding out things about it by intentionally going after weakpoints and using it for purposes not intended.  The DNS has been around for years, but it takes until 2008 for a group of hackers to discover this??!!  That means to the average person at home and their kids should take about 10 years to discover that they can do this, if they ever do at all.  If the fun_plug was not part of this unit, I bet you would never have figured out the URL issue. 

Why?  Probably because it would not have been worth your time to play with it.  Welcome to the 99% of the world.

bspvette86 wrote:

This is ideal for an office environment with employee-specific sensitive data or for the home where you can ensure your children will only have access to age appropriate material.

Come on, this statement is true.  If these people's kids are that good to be hacking this and trying out URL's of specific known file, or even trying to run commands from in JS, then there are much bigger things at stake than the data on the drive.  Same goes for the office.

No security is perfect, but for the group of users that this was marketed to, the security is adequate.

Now the next point.  Quit complaining about it.  Fix it, turn it off, throw it away, ignore it, I don't care what you do about it, but quit complaining.  You informed D-Link and Comptronics, what? A few days ago?  ...and you expect it to be fixed last week.  That's a little unrealistic.  Wait until they tell you they aren't going to do anything about it, then complain.

SilentException wrote:

what i don't understand a bit is why the certain members here act like they do not want these holes to be fixed?
you want insecure device, you have one. i really don't understand why the thread grew into this.

You are right. This whole discussion is getting boring. SECURITY HOLE IS A SECURITY HOLE. It should be fixed as fast as possible. It doesn't matter how much DNS-323 costed. For me it was expensive (+ european price is much higher than US). I didn't pay my hard earned money for the security illusion. Besides I wouldn't be surprised if all D-Link NAS line (DNS-313, DNS-321, DNS-343) had exactly the same problems (and that would be a total D-Link compromitation).

Last edited by Naoki (2008-06-05 12:35:07)