Router Charts

Router Charts

Router Ranker

Router Ranker

Router Chooser

Router Chooser

NAS Charts

NAS Charts

NAS Ranker

NAS Ranker

More Tools

More Tools

NAS Reviews

Under The Covers

Figure 16 shows the motherboard of the 150d.

Main Board
Click to enlarge image

Figure 16: Main Board

Iomega specifies the processor of the 150d as being a Freescale 8347 running at 400MHz with 128MB of RAM using a Vitesee 8201 chip for Ethernet. The SATA support is provided by a Silicon Image 3114 chip, and the USB support is provided by SMSC 2504 controller.

Internally, Iomega specs that the box runs a Linux 2.6.13 kernel, and also provides GPL source code on the installation CD. But I wanted to poke around a bit to see how the box was internally organized, so I started looking for a way to get visibility into the operating system.

When creating a network share, the user interface limited me to choosing data directories only, not operating system directories. But like many of these products, the 150d used the flawed strategy of using JavaScript for validation.

To bypass this, I redirected my browser to my own HTTP proxy that let me edit all parameters sent to the box. Using this technique, I specified the directory shown in Figure 17, which exported the very top level of the operating system directory.

Hacked Share

Figure 17: Hacked Share Name

Now I could mount this new share and roam around the operating system tree viewing boot scripts, binaries, the password file, etc. This showed me typical components such as Busybox for utilities, Samba for Windows sharing, vsftp for ftp support, etc. But I wasn't able to view everything because I only had the privilege of a standard user.

To elevate my privilege, I needed to look further. Another common error developers make is insufficient validation of data entered into a form. Iomega made this mistake when processing the input entered into the Email Alert form. I found that by using "back ticks" I could embed an arbitrary command into the email address and Iomega would dutifully pass this on to a command shell. Also, when I executed a command to list all of the running processes, I found that this command was executed as the "root" user, another "No-No" for developers (Figure 18).

Root Command

Figure 18: Running my command as root

Game over. Now I could change the password file to give my user root privileges, execute my own scripts, edit any file, etc. Note that in order to do what I did, I needed to have the administrator password to start with, so this is not a wide-open vulnerability. But also remember that administration has to be done over an insecure HTTP connection instead of a secure HTTPS connection, so the administrator password could be exposed to a determined local user.


I found the 150d to be a powerful NAS, with decent performance. The user interface is well designed and the RAID modes provide a measure of protection against disk failure. The USB ports give the ability to expand storage and also to share a printer to the network.

This feature set is fairly complete—as long as you're not looking for media serving—but not as extensive as some competing products such as the Infrant ReadyNAS NV. The fact that it supports Linux, Apple and Microsoft network file systems is a plus, as is its Active Directory support.

The hot-swap feature was nice as well, making it easy to plug and unplug disks while the NAS was up and running. But I would liked to have seen logging, a lower noise level, and the ability to update firmware from my Mac.

Overall, I would recommend the 150d if you're a small business administrator looking for a cost-effective way to add controlled storage to a heterogeneous network.

More NAS

Featured Sponsors

Win This!

Linksys Linksys LAPC1750PRO

You could win a Linksys LAPC1750PRO AC1750 Pro Dual-Band Access Point

Learn How!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Top Performing Routers


Top Performing NASes


Over In The Forums

The family has made the decision to cut the cable TV, but I have a big hurdle to overcome before it becomes reality and I need some advice. Right now...
does this router have same/any issues in bridge mode? tired of messing with it, but would like t oget some sort of use out of it. rt now im using ac68...
I have to RT-AC68U routers with the same firmware and CFE I am interested (but reluctant) to make a backup of router settings because I would like t...
gentlepeople i'm installing analog security cams & a dvr (with 1 network port) & would like to share some of the cams with my upstairs neighbor. sett...
Maybe somebody has experience with the following scenario, and could help me a bit? Trying to setup routed multicast IPTV using an CCR1009. Problem i...

Don't Miss These

  • 1
  • 2
  • 3