Security researchers direct keep discovered several severe vulnerabilities together with a surreptitious hard-coded backdoor inwards Western Digital's My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device.
Western Digital's My Cloud (WDMyCloud) is i of the most pop network-attached storage devices which is beingness used past times individuals together with businesses to host their files, together with automatically backup together with sync them alongside diverse cloud together with web-based services.
The device lets users non solely part files inwards a domicile network, but the private cloud characteristic every bit good allows them to access their information from anywhere at whatever time.
Since these devices direct keep been designed to endure connected over the Internet, the hardcoded backdoor would larn out user information opened upwards to hackers.
GulfTech question together with evolution squad has of late published an advisory detailing a hardcoded backdoor together with several vulnerabilities it flora inwards WD My Cloud storage devices that could allow remote attackers to inject their ain commands together with upload together with download sensitive files without permission.
Noteworthy, James Bercegay of GulfTech contacted the vendor together with reported the issues inwards June concluding year. The vendor confirmed the vulnerabilities together with requested a stream of ninety days until total disclosure.
On third Jan (that's close later 180 days), GulfTech publicly disclosed the details of the vulnerabilities, which are nonetheless unpatched.
As the scream suggests, this vulnerability allows a remote assailant to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices.
The vulnerability resides inwards "multi_uploadify.php" script due to the incorrect implementation of gethostbyaddr() PHP component subdivision past times the developers.
This vulnerability tin every bit good endure easily exploited to gain a remote rhythm every bit root. For this, all an assailant has to exercise is ship a postal service asking containing a file to upload using the parameter Filedata[0]—a place for the file to endure uploaded to which is specified inside the "folder" parameter, together with a simulated "Host" header.
The researcher has every bit good written a Metasploit module to exploit this vulnerability.
Researchers every bit good flora the existence of a "classic backdoor"—with admin username "mydlinkBRionyg" together with password "abc12345cba," which is hardcoded into the binary together with cannot endure changed.
So, anyone tin precisely log into WD My Cloud devices alongside these credentials.
Also, using this backdoor access, anyone tin access the buggy code which is vulnerable to command injection together with spawn a root shell.
Besides these ii above-mentioned critical vulnerabilities, researchers every bit good reported another below-explained of import flaws:
Due to no existent XSRF protection inside the WD My Cloud spider web interface, whatever malicious site tin potentially brand a victim's spider web browser connect to a My Cloud device on the network together with compromise it.
Simply visiting a booby-trapped website would endure plenty to lose command of your My Cloud device.
In March concluding year, a fellow member of the Exploitee.rs squad discovered several command injection issues inside the WD My Cloud devices, which tin endure combined alongside the XSRF flaw to gain consummate command (root access) of the affected device.
Unfortunately, the GulfTech squad every bit good uncovered a few command injection flaws.
Researchers every bit good flora that since whatever unauthenticated user tin gear upwards the global linguistic communication preferences for the entire storage device together with all of its users, it is possible for an assailant to abuse this functionality to crusade a DoS status to the spider web interface.
According to researchers, it is possible for an assailant to dump a listing of all users, including detailed user information without requiring whatever authentication, past times only making utilisation of a unproblematic asking to the spider web server similar this: GET /api/2.1/rest/users? HTTP/1.1
Western Digital's My Cloud together with My Cloud Mirror firmware version 2.30.165 together with before are affected past times all above-reported vulnerabilities.
Affected device models include My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 together with My Cloud DL4100.
Metasploit modules for all the vulnerabilities direct keep been released online.
Western Digital's My Cloud (WDMyCloud) is i of the most pop network-attached storage devices which is beingness used past times individuals together with businesses to host their files, together with automatically backup together with sync them alongside diverse cloud together with web-based services.
The device lets users non solely part files inwards a domicile network, but the private cloud characteristic every bit good allows them to access their information from anywhere at whatever time.
Since these devices direct keep been designed to endure connected over the Internet, the hardcoded backdoor would larn out user information opened upwards to hackers.
GulfTech question together with evolution squad has of late published an advisory detailing a hardcoded backdoor together with several vulnerabilities it flora inwards WD My Cloud storage devices that could allow remote attackers to inject their ain commands together with upload together with download sensitive files without permission.
Noteworthy, James Bercegay of GulfTech contacted the vendor together with reported the issues inwards June concluding year. The vendor confirmed the vulnerabilities together with requested a stream of ninety days until total disclosure.
On third Jan (that's close later 180 days), GulfTech publicly disclosed the details of the vulnerabilities, which are nonetheless unpatched.
Unrestricted File Upload Flaw Leads to Remote Exploitation
As the scream suggests, this vulnerability allows a remote assailant to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices.
The vulnerability resides inwards "multi_uploadify.php" script due to the incorrect implementation of gethostbyaddr() PHP component subdivision past times the developers.
This vulnerability tin every bit good endure easily exploited to gain a remote rhythm every bit root. For this, all an assailant has to exercise is ship a postal service asking containing a file to upload using the parameter Filedata[0]—a place for the file to endure uploaded to which is specified inside the "folder" parameter, together with a simulated "Host" header.
The researcher has every bit good written a Metasploit module to exploit this vulnerability.
"The [metasploit] module volition utilisation this vulnerability to upload a PHP webshell to the "/var/www/" directory. Once uploaded, the webshell tin endure executed past times requesting a URI pointing to the backdoor, together with thence triggering the payload," the researcher writes.
Hard Coded Backdoor Leads to Remote Exploitation
Researchers every bit good flora the existence of a "classic backdoor"—with admin username "mydlinkBRionyg" together with password "abc12345cba," which is hardcoded into the binary together with cannot endure changed.
So, anyone tin precisely log into WD My Cloud devices alongside these credentials.
Also, using this backdoor access, anyone tin access the buggy code which is vulnerable to command injection together with spawn a root shell.
"The triviality of exploiting this issues makes it real dangerous, together with fifty-fifty wormable," the researcher notes. "Not solely that, but users locked to a LAN are non rubber either."
"An assailant could literally direct keep over your WDMyCloud past times precisely having you lot view a website where an embedded iframe or img tag brand a asking to the vulnerable device using i of the many predictable default hostnames for the WDMyCloud such every bit 'wdmycloud' together with 'wdmycloudmirror' etc."
Other Vulnerabilities inwards Western Digital's My Cloud
Besides these ii above-mentioned critical vulnerabilities, researchers every bit good reported another below-explained of import flaws:
Cross-site asking forgery:
Due to no existent XSRF protection inside the WD My Cloud spider web interface, whatever malicious site tin potentially brand a victim's spider web browser connect to a My Cloud device on the network together with compromise it.
Simply visiting a booby-trapped website would endure plenty to lose command of your My Cloud device.
Command injection:
In March concluding year, a fellow member of the Exploitee.rs squad discovered several command injection issues inside the WD My Cloud devices, which tin endure combined alongside the XSRF flaw to gain consummate command (root access) of the affected device.
Unfortunately, the GulfTech squad every bit good uncovered a few command injection flaws.
Denial of Service:
Researchers every bit good flora that since whatever unauthenticated user tin gear upwards the global linguistic communication preferences for the entire storage device together with all of its users, it is possible for an assailant to abuse this functionality to crusade a DoS status to the spider web interface.
Information disclosure:
According to researchers, it is possible for an assailant to dump a listing of all users, including detailed user information without requiring whatever authentication, past times only making utilisation of a unproblematic asking to the spider web server similar this: GET /api/2.1/rest/users? HTTP/1.1
Affected My Cloud Firmware Versions together with Models
Western Digital's My Cloud together with My Cloud Mirror firmware version 2.30.165 together with before are affected past times all above-reported vulnerabilities.
Affected device models include My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 together with My Cloud DL4100.
Metasploit modules for all the vulnerabilities direct keep been released online.