Medion NAS telnet backdoor

Last year I bought at Aldi a NAS device MD86803. Cheap, yet very effective. However, after upgrading to Ubuntu 14.04 I couldn’t copy files over SMB anymore. The transfers are always interrupted at their end. Which invariable ends by “Software caused connection abort”.

It appears I’m far from being the only one with this problem. And it worked with earlier versions of Ubuntu. And it works with other OS and devices too. So I contributed to open source in my way: logging bugs and writing blog entries.

At Ubuntu for Nautilus:

The Nautilus guys told I had to go to Gnome:

To which they created a bug at Samba:

Because the bug seems to be in Samba itself, chances are other Linux distributions are impacted too.

Bottom line: You want to upgrade your Linux and you have a NAS device (eg Medion, IOMega, Zyxel, …) ? First poke it with Zenmap or something comparable. It’ll tell what version of Samba it is using. If it reads something like “3.0.32”, you’d rather wait some more before upgrading !

And now coming to the actual point of this blog entry:

Telnet was temporarily enabled on the device to allow me to gather info for the Samba people. It appears to be not too difficult…

  1. Open your browser and log in with the admin account.
  2. Open a second tab/window on the url: http://host/r36807,/adv,/cgi-bin/remote_help-cgi?type=backdoor. If it worked, the browser screen will be blank. Otherwise you’ll get the login screen.
  3. Open a terminal and type telnet.
  4. The user name is root and the password is the same as for the admin user.
  5. Look (carefully !) around. You’re wielding root’s power. You’d rather not destroy something by accident.

The url of (2) will be different depending on the firmware version. r36807 corresponds to version 1.01(UZD.3). Which is currently the latest release. Other release url’s can be found at http://zyxel.nas-central.org/wiki/Telnet_backdoor. It seems the same trick works with Zyxel branded devices too.

Leave a Reply

Your email address will not be published. Required fields are marked *