Trivial root compromise in Gateway GS-400 NAS Servers

["Keith T. Morgan" <keith.morgan () terradon com>]

Overview:
The Gateway GS-400 server is an IDE software raid machine backened by a customized Linux distribution.  The system is 
managed by a web-based management console running under an "admin" user context.  

Problem:
The GS-400 servers are shipped with a vendor default root password of "0001n".  Gateway stated that this was a vendor 
default, and that the end user has no way to change the password via provided administrative utilities.  I have been 
unable to verify that this password did indeed ship on other Gateway NAS machines.  However, the password file is 
un-shadowed, and if this is not the only password shipped, but only an example of the password strength used, cracking 
the password should be trivial (5^36).  The Linux back-end of the GS-400 NAS software is accessible by telnetting to 
the server on port 1023.

Vendor response:
Gateway stated that a letter has been sent to all owners of GS-400 servers providing customers with the opportunity to 
return them.  Gateway has also stated that the GS-400 servers are completely unsupported, and that they would not 
release an official advisory or security work around.  Gateway stated that telnetting to the machine and logging in 
voids warranty.  Thus, by logging in, su-ing to root, and changing the password, your warranty is voided.


The views, and information submitted here are entirely my own, and are not those of my employer.

Keith T. Morgan
Part Time Motorcycle Road-Racer
keith.morgan () terradon com