Security researchers create got discovered several severe vulnerabilities in addition to a hole-and-corner hard-coded backdoor inwards Western Digital's My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device.
Western Digital's My Cloud (WDMyCloud) is 1 of the most pop network-attached storage devices which is beingness used past times individuals in addition to businesses to host their files, in addition to automatically backup in addition to sync them alongside diverse cloud in addition to web-based services.
The device lets users non alone portion files inwards a dwelling household network, but the private cloud characteristic equally good allows them to access their information from anywhere at whatever time.
Since these devices create got been designed to locomote connected over the Internet, the hardcoded backdoor would locomote out user information opened upwards to hackers.
GulfTech query in addition to evolution squad has of late published an advisory detailing a hardcoded backdoor in addition to several vulnerabilities it constitute inwards WD My Cloud storage devices that could allow remote attackers to inject their ain commands in addition to upload in addition to download sensitive files without permission.
Noteworthy, James Bercegay of GulfTech contacted the vendor in addition to reported the issues inwards June terminal year. The vendor confirmed the vulnerabilities in addition to requested a catamenia of ninety days until total disclosure.
On third Jan (that's nigh subsequently 180 days), GulfTech publicly disclosed the details of the vulnerabilities, which are withal unpatched.
As the scream suggests, this vulnerability allows a remote assaulter to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices.
The vulnerability resides inwards "multi_uploadify.php" script due to the incorrect implementation of gethostbyaddr() PHP component past times the developers.
This vulnerability tin terminate equally good locomote easily exploited to gain a remote trounce equally root. For this, all an assaulter has to practise is ship a ship service asking containing a file to upload using the parameter Filedata[0]—a place for the file to locomote uploaded to which is specified inside the "folder" parameter, in addition to a imitation "Host" header.
The researcher has equally good written a Metasploit module to exploit this vulnerability.
Researchers equally good constitute the existence of a "classic backdoor"—with admin username "mydlinkBRionyg" in addition to password "abc12345cba," which is hardcoded into the binary in addition to cannot locomote changed.
So, anyone tin terminate exactly log into WD My Cloud devices alongside these credentials.
Also, using this backdoor access, anyone tin terminate access the buggy code which is vulnerable to command injection in addition to spawn a root shell.
Besides these ii above-mentioned critical vulnerabilities, researchers equally good reported another below-explained of import flaws:
Due to no existent XSRF protection inside the WD My Cloud spider web interface, whatever malicious site tin terminate potentially brand a victim's spider web browser connect to a My Cloud device on the network in addition to compromise it.
Simply visiting a booby-trapped website would locomote plenty to lose command of your My Cloud device.
In March terminal year, a fellow member of the Exploitee.rs squad discovered several command injection issues inside the WD My Cloud devices, which tin terminate locomote combined alongside the XSRF flaw to gain consummate command (root access) of the affected device.
Unfortunately, the GulfTech squad equally good uncovered a few command injection flaws.
Researchers equally good constitute that since whatever unauthenticated user tin terminate prepare the global linguistic communication preferences for the entire storage device in addition to all of its users, it is possible for an assaulter to abuse this functionality to drive a DoS status to the spider web interface.
According to researchers, it is possible for an assaulter to dump a listing of all users, including detailed user information without requiring whatever authentication, past times only making job of a unproblematic asking to the spider web server similar this: GET /api/2.1/rest/users? HTTP/1.1
Western Digital's My Cloud in addition to My Cloud Mirror firmware version 2.30.165 in addition to before are affected past times all above-reported vulnerabilities.
Affected device models include My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 in addition to My Cloud DL4100.
Metasploit modules for all the vulnerabilities create got been released online.
Western Digital's My Cloud (WDMyCloud) is 1 of the most pop network-attached storage devices which is beingness used past times individuals in addition to businesses to host their files, in addition to automatically backup in addition to sync them alongside diverse cloud in addition to web-based services.
The device lets users non alone portion files inwards a dwelling household network, but the private cloud characteristic equally good allows them to access their information from anywhere at whatever time.
Since these devices create got been designed to locomote connected over the Internet, the hardcoded backdoor would locomote out user information opened upwards to hackers.
GulfTech query in addition to evolution squad has of late published an advisory detailing a hardcoded backdoor in addition to several vulnerabilities it constitute inwards WD My Cloud storage devices that could allow remote attackers to inject their ain commands in addition to upload in addition to download sensitive files without permission.
Noteworthy, James Bercegay of GulfTech contacted the vendor in addition to reported the issues inwards June terminal year. The vendor confirmed the vulnerabilities in addition to requested a catamenia of ninety days until total disclosure.
On third Jan (that's nigh subsequently 180 days), GulfTech publicly disclosed the details of the vulnerabilities, which are withal unpatched.
Unrestricted File Upload Flaw Leads to Remote Exploitation
As the scream suggests, this vulnerability allows a remote assaulter to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices.
The vulnerability resides inwards "multi_uploadify.php" script due to the incorrect implementation of gethostbyaddr() PHP component past times the developers.
This vulnerability tin terminate equally good locomote easily exploited to gain a remote trounce equally root. For this, all an assaulter has to practise is ship a ship service asking containing a file to upload using the parameter Filedata[0]—a place for the file to locomote uploaded to which is specified inside the "folder" parameter, in addition to a imitation "Host" header.
The researcher has equally good written a Metasploit module to exploit this vulnerability.
"The [metasploit] module volition job this vulnerability to upload a PHP webshell to the "/var/www/" directory. Once uploaded, the webshell tin terminate locomote executed past times requesting a URI pointing to the backdoor, in addition to hence triggering the payload," the researcher writes.
Hard Coded Backdoor Leads to Remote Exploitation
Researchers equally good constitute the existence of a "classic backdoor"—with admin username "mydlinkBRionyg" in addition to password "abc12345cba," which is hardcoded into the binary in addition to cannot locomote changed.
So, anyone tin terminate exactly log into WD My Cloud devices alongside these credentials.
Also, using this backdoor access, anyone tin terminate access the buggy code which is vulnerable to command injection in addition to spawn a root shell.
"The triviality of exploiting this issues makes it really dangerous, in addition to fifty-fifty wormable," the researcher notes. "Not alone that, but users locked to a LAN are non rubber either."
"An assaulter could literally create got over your WDMyCloud past times exactly having you lot view a website where an embedded iframe or img tag brand a asking to the vulnerable device using 1 of the many predictable default hostnames for the WDMyCloud such equally 'wdmycloud' in addition to 'wdmycloudmirror' etc."
Other Vulnerabilities inwards Western Digital's My Cloud
Besides these ii above-mentioned critical vulnerabilities, researchers equally good reported another below-explained of import flaws:
Cross-site asking forgery:
Due to no existent XSRF protection inside the WD My Cloud spider web interface, whatever malicious site tin terminate potentially brand a victim's spider web browser connect to a My Cloud device on the network in addition to compromise it.
Simply visiting a booby-trapped website would locomote plenty to lose command of your My Cloud device.
Command injection:
In March terminal year, a fellow member of the Exploitee.rs squad discovered several command injection issues inside the WD My Cloud devices, which tin terminate locomote combined alongside the XSRF flaw to gain consummate command (root access) of the affected device.
Unfortunately, the GulfTech squad equally good uncovered a few command injection flaws.
Denial of Service:
Researchers equally good constitute that since whatever unauthenticated user tin terminate prepare the global linguistic communication preferences for the entire storage device in addition to all of its users, it is possible for an assaulter to abuse this functionality to drive a DoS status to the spider web interface.
Information disclosure:
According to researchers, it is possible for an assaulter to dump a listing of all users, including detailed user information without requiring whatever authentication, past times only making job of a unproblematic asking to the spider web server similar this: GET /api/2.1/rest/users? HTTP/1.1
Affected My Cloud Firmware Versions in addition to Models
Western Digital's My Cloud in addition to My Cloud Mirror firmware version 2.30.165 in addition to before are affected past times all above-reported vulnerabilities.
Affected device models include My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 in addition to My Cloud DL4100.
Metasploit modules for all the vulnerabilities create got been released online.