Promise VTrak M500f/Support Case Log: Difference between revisions

From fakedWiki
Jump to: navigation, search
No edit summary
No edit summary
Line 11: Line 11:
cheers,
cheers,
Jan|Request:-|28th July 2011 at 11:27}}
Jan|Request:-|28th July 2011 at 11:27}}


{{Quote|Hi Jan,  There is a known issue with network protocols.  If you are running network monitoring, the log can get full.  I would like to know what FW revision you are on.  Please attach the system service report.  Thank You, Michele|Response By:- Michele Depage|28th July 2011 at 12:33}}
{{Quote|Hi Jan,  There is a known issue with network protocols.  If you are running network monitoring, the log can get full.  I would like to know what FW revision you are on.  Please attach the system service report.  Thank You, Michele|Response By:- Michele Depage|28th July 2011 at 12:33}}
Line 17: Line 16:
{{Quote|Also as a reminder;  Be aware that poking around in Islevista can corrupt the FW kernel. If the FW drops into the kernel again, please call us so we can get some debug.  Thank You!  Michele|Response By:- Michele Depage|28th July 2011 at 12:36}}
{{Quote|Also as a reminder;  Be aware that poking around in Islevista can corrupt the FW kernel. If the FW drops into the kernel again, please call us so we can get some debug.  Thank You!  Michele|Response By:- Michele Depage|28th July 2011 at 12:36}}


Request:-  28th July 2011 at 12:41
{{Quote|Like i said, i can't give you the report because i'm at home, but the revision is 2.39 or something like that, it's the latest from your website, i checked earlier today. Is there any way i can get into islavista again without having to way for the next crash, so i can fix the PHP code myself? Unfortunately i rebooted the storage, didn't think about being locked in the CLI after reboot...|Request:-|28th July 2011 at 12:41}}
Like i said, i can't give you the report because i'm at home, but the revision is 2.39 or something like that, it's the latest from your website, i checked earlier today. Is there any way i can get into islavista again without having to way for the next crash, so i can fix the PHP code myself? Unfortunately i rebooted the storage, didn't think about being locked in the CLI after reboot...


Response By:- Michele Depage 28th July 2011 at 14:47
{{Quote|Hi Again, you should be able to login to your unit (GUI (Browser) or CLI) via the IP address. Also, can you please confirm what Product you have.  There is a conflict between Product and Type of Case you opened (S3000). Once I know your product and review the log I can tell what the fix is if in fact its the known issue.  Thank You!  Michele|Response By:- Michele Depage|28th July 2011 at 14:47}}
Hi Again, you should be able to login to your unit (GUI (Browser) or CLI) via the IP address. Also, can you please confirm what Product you have.  There is a conflict between Product and Type of Case you opened (S3000). Once I know your product and review the log I can tell what the fix is if in fact its the known issue.  Thank You!  Michele  


Request:-  29th July 2011 at 2:25
{{Quote|Yes, i know that i'm able to login to my unit (GUI (Browser) or CLI) via the IP address, but i can't change the PHP code there, can i? I need access to the islavista shell for that!
Yes, i know that i'm able to login to my unit (GUI (Browser) or CLI) via the IP address, but i can't change the PHP code there, can i? I need access to the islavista shell for that!
Regarding the "Type of Case", i just selected general case, that's probably why the S3000 shows up - another bug in a different webinterface, i guess ;)
Regarding the "Type of Case", i just selected general case, that's probably why the S3000 shows up - another bug in a different webinterface, i guess ;)
I'm now back at work, so i'll see how i can upload the service report...
I'm now back at work, so i'll see how i can upload the service report...|Request:- |29th July 2011 at 2:25}}


Request:-  29th July 2011 at 2:41
Request:-  29th July 2011 at 2:41

Revision as of 12:08, 5 August 2011

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Request:- 29th July 2011 at 2:41 Sorry, didn't find a way to save the service report, there not "save" button - this doesn't apply: http://kb.promise.com/KnowledgebaseArticle10095.aspx

Response By:- Michele Depage 29th July 2011 at 8:27 So Jan, you have a M500f, rite? Your using WebPAM Pro, and when you click on the subsystem (IP addy) you do not see a SAVE button at the bottom of the screen? Very bizzar to say the least. Can you please login to CLI...

> Once logged in Enter the following commands at the administrator@cli prompt: > > > subsys -v > > ctrl -v > > enclosure -v > > battery -v > > net – v

> iscsi -v > > phydrv > > phydrv -v > > array > > array -v > > logdrv > > logdrv – v > > lunmap > > event > > event -l nvram > > Save to a file and attach to this case please

Request:- 29th July 2011 at 8:42 Yup, M500f - i discovered that i can change that here, i never had the chance when opening the case! (I guess the "S3000 Vtrak" doesn't belong into the drop-down menu at all, maybe you can have that checked by someone). Correct, there's no "save" button, i've attached a screenshot. The CLI output is attached, at least that stuff i could c/p.

cheers, Jan


Response By:- Michele Depage 29th July 2011 at 9:14 What about Admin / Tools / Save System Service Report. Not there either? Looks like you have a special build. I am going verify with FAE. BRB

Request:- 29th July 2011 at 9:17 Not in the office any more, but i'm pretty sure i would have noticed such a distinct menu option ;)

Response By:- Michele Depage 29th July 2011 at 10:2 YUP! There isn't for this product. My bad. CLI only. We need the SAS and FC stats. Can you please get those using the sasdiag & fc commands.

Also, I have asked an FAE in your area to step in as well. Cheers, Michele

Request:- 1st August 2011 at 0:43 Hi Michele, 'sasdiag' isn't available on the system, but i've attached the output of 'fc -v'. cheers, Jan

Response By:- Michele Depage 2nd August 2011 at 11:51 Hi Jan, Has anyone contacted you from our Europe office? Thanks! Michele

Request:- 2nd August 2011 at 12:43 No yet, sorry - i'd say via telephone between 1PM and 6PM CEST would be best, or via email... cheers, Jan

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 0:17 Hello Jan,

I am FAE for EMEA area and I will take care now about this case.

To diagnose the system we need to collect the information first. PLease do the same as you did with "fc -v" but with all the following commands:

subsys -v ctrl -v enclosure -v battery -v net – v iscsi -v phydrv phydrv -v array array -v logdrv logdrv – v lunmap event event -l nvram

I have general idea what is wrong with the controller but let me see the output first. You can reach me at by my mobile phone +31653888388

regards,

Sergiy

Request:- 3rd August 2011 at 3:22 Hi Sergiy, i had already attached the output of all those commands, but it looks like somebody removed them... anyways, the new log is attached!

btw, i know what i wrong, and i already gave Michele the fix, it's really really (really!) obvious... and i could fix either the PHP code to do proper conditional checking, or just decrease the PHP logging level so E_NOTICE isn't logged. i don't think it's a problem of the controller, it's just "unforseen" firmware issues. Give me the islavista shell and i'm good ;)

cheers, Jan

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 3:53 When do you get the "islavista" shell. Please describe the steps as detailed as possible.

When did you update the firmware the last time?

Request:- 3rd August 2011 at 3:56 Please read the previous conversation, i got it when the / partition was full the last time. serial console, et voilá. As you should see from the logs, the most recent firmware version is installed, i did that somewhen this year.

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 4:8 Did the problem start after the firmware update? It is obvious that firmware code is damaged. The possible solution could be to re-flash the controller.

Request:- 3rd August 2011 at 4:22 I'm not really sure if you understood what i said, the issue it that the / partition is being filled up with the php-error.log because there's badly written PHP code in the webinterface. That, or a not-so-optimal setting for error reporting. To me it's no surprise that the CLI bails out and drops me to a root shell when it rans out of resources. To answer your question, the problem existed before the update, that's why i updated the firmware - but now i know it's not a problem with the controller firmware, but rather with the webinterface.

Please, read my previous messages!

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 4:29 I did carefully study your previous messages and I just need to ask you some additional questions to understand what is wrong with system. It really looks like that controller of the system is deffective and needs to be replaced. You mentioned that you got a message that /tmp is full. I assume, that message was in browser, right? Can I see the full error message?


Request:- 3rd August 2011 at 4:32 Yes, that message was in the browser, but i don't have it anymore, because i purged the logfile in islavista. i'm about to try to force it to fill up again, let's see if this is exploitable ... islavista over telnet, without authentication, would be pretty serious.

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 4:47 I assume that system has hardware problem that generates this logfile. In the event log there are many HDD timeouts and resets. So are you able to run the web management now?

Request:- 3rd August 2011 at 4:53 Okay, you didn't read my messages. It's not the hardware. I'm really considering doing a Full Disclosure now. Potential remote root access via Telnet should be made public, if you're not willing to understand the very simple issue that causes this.

(But, to be polite and answer your question: Yes, i can access the web management, AFTER GETTING ROOT ACCESS and freeing up some space manually.)

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 4:59 I understand you very well. The fact is that with healthy system you absolutely should not get the root access and being able to manipulate with file system. And device has very serious problem if you can do this. In addition, there are unhealthy messages in the event log of the subsystem.

It is not nessesary to open the telnet session. The controler of the system must be replaced.

Request:- 3rd August 2011 at 5:6 Are you kidding me? Are you fucking kidding me? Please, go through my messages and tell me what i wrote that is causing the / partition to fill up, because if you don't, i'll hit "publish" and make this open to the public. You didn't even understand what i want to use Telnet for, did you? I will use Telnet to see if i can get the islavista shell even via network, instead of only via the serial console, to make this "root exploit" a "remote root exploit".

Please, look up "Full Disclosure" on Wikipedia.

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 5:12 Dear Jan,

I am not going to continue the conversation unless you will change your way of talking. I just can repeat you one more time, you should not even know the word "islavista" related to this device. You need a new controller.

Request:- 3rd August 2011 at 5:17 We could have sorted this out nice and easy, if you would have understood the basic problem that has nothing to do with any piece of hardware at all, but only with your sub-par PHP code and configuration.

I'll call your marketing dept, let's see what they say about this vulnerability. If you have any stock options with Promise, better sell them off quickly.

Date of closure: 8/3/2011 5:19:08 AM Reason for closure: Customer refuses the solution and suggested to sell Promise stocks.

Request:- 3rd August 2011 at 5:35 You didn't even understand THAT: i don't need a solution, i really don't care about this storage, it's just an old backup, long out of warranty, not really used for anything serious.

but YOU need a solution, and that's how to fix this vulnerability in YOUR storage firmware.

ah, fuck it, you won't understand it anyway.

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 6:5 We do appreciate that you found a problem with our system. This system is already discontinued and we do not plan the updates. However, I will pass this information to our developers.

Thank you. Date of closure: 8/3/2011 5:38:14 AM Reason for closure: Closed by the user, since the error does not exist any more !

Response By:- Joris Piepers 3rd August 2011 at 6:26 Customer will disclose the exploit on the internet as this is a security gap.

Response By:- Joris Piepers 3rd August 2011 at 6:27 as this is a exploit.

Response By:- Joris Piepers 3rd August 2011 at 7:20 Hello Jan Grewe,

Can you please disclose the website where you are going to disclose this info?

Request:- 3rd August 2011 at 7:29 Hi Joris,

i will first publish it on my own domain and then send the link/post it to the Full Disclosure mailing list and probably also others on SecLists.Org

cheers, Jan

Response By:- Sergiy Voskoboynikov 5th August 2011 at 0:9 Dear Jan,

Could you share with us what exactly are you going to publish?

Request:- 5th August 2011 at 2:16 Hi Sergiy, i'm still working on the full analysis of the M500f's firmware, so i can apply it to the firmware for other of your devices, but here's my progress to far: http://faked.org/wiki/Promise_VTrak_M500f

In theory that should be enough proof for everybody to reproduce the results, but i want to make this watertight: could you point me to where the mtdblocks that get mounted to /islavista/[conf+fw+sw] come from, and where i can find the file "update.sr3"? Thanks!

Response By:- Sergiy Voskoboynikov 5th August 2011 at 3:14 Hi Jan,

Now you're more specific. We could more constructive dialog from the beginning. I will need to perform some tests and I will contact you again with the results.

As for information that you ask, I could not provide it to you now because this information is confidential.

Request:- 5th August 2011 at 3:30 Well, we could have gotten there a lot faster and easier if you wouldn't have tried to convince me that this is because of faulty hardware - which i pointed out to you multiple times by telling you to read my previous messages.

How about we start now with the "constructive dialog", for example by you giving me the information i need, because sooner or later i will find out myself, and of course i'll make that information available to others because you don't do. Now if i wouldn't have to find out myself how to get them, but just get them, there's nothing i could publish, right?

On a sidenote, where do you provide the sourcecode for your firmware? As you're using GPL licensed code, you MUST release the corresponding source code, in case you didn't know... a good starting point: http://gpl-violations.org/faq/vendor-faq.html