SmallNetBuilder

Follow SmallNetBuilder
Follow SmallNetBuilder on TwitterConnect On Facebook Google+Get the SmallNetBuilder RSS Feed
You are here: NAS NAS Reviews Iomega StorCenter Pro 150d Review - Under The Covers, Conclusion
 

Iomega StorCenter Pro 150d Review - Under The Covers, Conclusion

Print E-mail
<< Prev - Page 6 of 6 - Next

Under The Covers

Figure 16 shows the motherboard of the 150d.

Main Board
Click to enlarge image

Figure 16: Main Board

Iomega specifies the processor of the 150d as being a Freescale 8347 running at 400MHz with 128MB of RAM using a Vitesee 8201 chip for Ethernet. The SATA support is provided by a Silicon Image 3114 chip, and the USB support is provided by SMSC 2504 controller.

Internally, Iomega specs that the box runs a Linux 2.6.13 kernel, and also provides GPL source code on the installation CD. But I wanted to poke around a bit to see how the box was internally organized, so I started looking for a way to get visibility into the operating system.

When creating a network share, the user interface limited me to choosing data directories only, not operating system directories. But like many of these products, the 150d used the flawed strategy of using JavaScript for validation.

To bypass this, I redirected my browser to my own HTTP proxy that let me edit all parameters sent to the box. Using this technique, I specified the directory shown in Figure 17, which exported the very top level of the operating system directory.

Hacked Share

Figure 17: Hacked Share Name

Now I could mount this new share and roam around the operating system tree viewing boot scripts, binaries, the password file, etc. This showed me typical components such as Busybox for utilities, Samba for Windows sharing, vsftp for ftp support, etc. But I wasn't able to view everything because I only had the privilege of a standard user.

To elevate my privilege, I needed to look further. Another common error developers make is insufficient validation of data entered into a form. Iomega made this mistake when processing the input entered into the Email Alert form. I found that by using "back ticks" I could embed an arbitrary command into the email address and Iomega would dutifully pass this on to a command shell. Also, when I executed a command to list all of the running processes, I found that this command was executed as the "root" user, another "No-No" for developers (Figure 18).

Root Command

Figure 18: Running my command as root

Game over. Now I could change the password file to give my user root privileges, execute my own scripts, edit any file, etc. Note that in order to do what I did, I needed to have the administrator password to start with, so this is not a wide-open vulnerability. But also remember that administration has to be done over an insecure HTTP connection instead of a secure HTTPS connection, so the administrator password could be exposed to a determined local user.

Conclusion

I found the 150d to be a powerful NAS, with decent performance. The user interface is well designed and the RAID modes provide a measure of protection against disk failure. The USB ports give the ability to expand storage and also to share a printer to the network.

This feature set is fairly complete—as long as you're not looking for media serving—but not as extensive as some competing products such as the Infrant ReadyNAS NV. The fact that it supports Linux, Apple and Microsoft network file systems is a plus, as is its Active Directory support.

The hot-swap feature was nice as well, making it easy to plug and unplug disks while the NAS was up and running. But I would liked to have seen logging, a lower noise level, and the ability to update firmware from my Mac.

Overall, I would recommend the 150d if you're a small business administrator looking for a cost-effective way to add controlled storage to a heterogeneous network.




Related Items:

Iomega adds new Terabyte NASes
Iomega adds Rackmount, Desktop SMB NASes
Tiny Terabyte RAID: Iomega 1 TB StorCenter Network Hard Drive Review
Promise SmartStor Review: Cheaper RAID 5 in more ways than one
Hammer myshare Review: Newcomer NAS runs with the dual-drive pack

User reviews

There are no user reviews for this listing.  [Back to Top]

NOTE! Please post product reviews from actual experience only.
Questions, review comments and opinions about products not based on actual use will not be published.

 
Ratings (the higher the better)
Features*
 
Performance*
 
Reliability*
 
Comments*
    Please enter the security code.