Western Digital's My Cloud (WDMyCloud) is 1 of the most pop network-attached storage devices which is beingness used past times individuals together with businesses to host their files, together with automatically backup together with sync them amongst diverse cloud together with web-based services.
The device lets users non alone percentage files inwards a abode network, but the private cloud characteristic besides allows them to access their information from anywhere at whatsoever time.
Since these devices induce got been designed to hold upwards connected over the Internet, the hardcoded backdoor would larn out user information opened upwards to hackers.
GulfTech query together with evolution squad has latterly published an advisory detailing a hardcoded backdoor together with several vulnerabilities it industrial plant life inwards WD My Cloud storage devices that could allow remote attackers to inject their ain commands together with upload together with download sensitive files without permission.
Noteworthy, James Bercegay of GulfTech contacted the vendor together with reported the issues inwards June terminal year. The vendor confirmed the vulnerabilities together with requested a menstruation of xc days until total disclosure.
On tertiary Jan (that's nigh later on 180 days), GulfTech publicly disclosed the details of the vulnerabilities, which are yet unpatched.
Unrestricted File Upload Flaw Leads to Remote Exploitation
As the scream suggests, this vulnerability allows a remote assailant to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices.
The vulnerability resides inwards "multi_uploadify.php" script due to the incorrect implementation of gethostbyaddr() PHP role past times the developers.
This vulnerability tin give the axe besides hold upwards easily exploited to gain a remote crunch equally root. For this, all an assailant has to practice is ship a ship service asking containing a file to upload using the parameter Filedata[0]—a place for the file to hold upwards uploaded to which is specified inside the "folder" parameter, together with a mistaken "Host" header.
The researcher has besides written a Metasploit module to exploit this vulnerability.
"The [metasploit] module volition utilization this vulnerability to upload a PHP webshell to the "/var/www/" directory. Once uploaded, the webshell tin give the axe hold upwards executed past times requesting a URI pointing to the backdoor, together with thence triggering the payload," the researcher writes.
Hard Coded Backdoor Leads to Remote Exploitation
Researchers besides industrial plant life the existence of a "classic backdoor"—with admin username "mydlinkBRionyg" together with password "abc12345cba," which is hardcoded into the binary together with cannot hold upwards changed.
So, anyone tin give the axe exactly log into WD My Cloud devices amongst these credentials.
Also, using this backdoor access, anyone tin give the axe access the buggy code which is vulnerable to command injection together with spawn a root shell.
"The triviality of exploiting this issues makes it real dangerous, together with fifty-fifty wormable," the researcher notes. "Not alone that, but users locked to a LAN are non rubber either."
"An assailant could literally induce got over your WDMyCloud past times exactly having you lot watch a website where an embedded iframe or img tag brand a asking to the vulnerable device using 1 of the many predictable default hostnames for the WDMyCloud such equally 'wdmycloud' together with 'wdmycloudmirror' etc."
Other Vulnerabilities inwards Western Digital's My Cloud
Besides these ii above-mentioned critical vulnerabilities, researchers besides reported another below-explained of import flaws:
Cross-site asking forgery:
Due to no existent XSRF protection inside the WD My Cloud spider web interface, whatsoever malicious site tin give the axe potentially brand a victim's spider web browser connect to a My Cloud device on the network together with compromise it.
Simply visiting a booby-trapped website would hold upwards plenty to lose command of your My Cloud device.
Command injection:
In March terminal year, a fellow member of the Exploitee.rs squad discovered several command injection issues inside the WD My Cloud devices, which tin give the axe hold upwards combined amongst the XSRF flaw to gain consummate command (root access) of the affected device.
Unfortunately, the GulfTech squad besides uncovered a few command injection flaws.
Denial of Service:
Researchers besides industrial plant life that since whatsoever unauthenticated user tin give the axe fix the global linguistic communication preferences for the entire storage device together with all of its users, it is possible for an assailant to abuse this functionality to crusade a DoS status to the spider web interface.
Information disclosure:
According to researchers, it is possible for an assailant to dump a listing of all users, including detailed user information without requiring whatsoever authentication, past times only making utilization of a uncomplicated asking to the spider web server similar this: GET /api/2.1/rest/users? HTTP/1.1
Affected My Cloud Firmware Versions together with Models
Western Digital's My Cloud together with My Cloud Mirror firmware version 2.30.165 together with before are affected past times all above-reported vulnerabilities.
Affected device models include My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 together with My Cloud DL4100.
Metasploit modules for all the vulnerabilities induce got been released online.
Share This :
comment 0 Comments
more_vert