Security researchers have discovered several severe vulnerabilities and a secret hard-coded backdoor in Western Digital's My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device.
Western Digital's My Cloud (WDMyCloud) is one of the most popular network-attached storage devices which is being used by individuals and businesses to host their files, and automatically backup and sync them with various cloud and web-based services.
The device lets users not only share files in a home network, but the private cloud feature also allows them to access their data from anywhere at any time.
Since these devices have been designed to be connected over the Internet, the hardcoded backdoor would leave user data open to hackers.
GulfTech research and development team has recently published an advisory detailing a hardcoded backdoor and several vulnerabilities it found in WD My Cloud storage devices that could allow remote attackers to inject their own commands and upload and download sensitive files without permission.
Noteworthy, James Bercegay of GulfTech contacted the vendor and reported the issues in June last year. The vendor confirmed the vulnerabilities and requested a period of 90 days until full disclosure.
On 3rd January (that's almost after 180 days), GulfTech publicly disclosed the details of the vulnerabilities, which are still unpatched.
As the name suggests, this vulnerability allows a remote attacker to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices.
The vulnerability resides in "multi_uploadify.php" script due to the wrong implementation of gethostbyaddr() PHP function by the developers.
This vulnerability can also be easily exploited to gain a remote shell as root. For this, all an attacker has to do is send a post request containing a file to upload using the parameter Filedata[0]—a location for the file to be uploaded to which is specified within the "folder" parameter, and a fake "Host" header.
The researcher has also written a Metasploit module to exploit this vulnerability.
Researchers also found the existence of a "classic backdoor"—with admin username "mydlinkBRionyg" and password "abc12345cba," which is hardcoded into the binary and cannot be changed.
So, anyone can just log into WD My Cloud devices with these credentials.
Also, using this backdoor access, anyone can access the buggy code which is vulnerable to command injection and spawn a root shell.
Besides these two above-mentioned critical vulnerabilities, researchers also reported some other below-explained important flaws:
Due to no real XSRF protection within the WD My Cloud web interface, any malicious site can potentially make a victim's web browser connect to a My Cloud device on the network and compromise it.
Simply visiting a booby-trapped website would be enough to lose control of your My Cloud device.
In March last year, a member of the Exploitee.rs team discovered several command injection issues within the WD My Cloud devices, which can be combined with the XSRF flaw to gain complete control (root access) of the affected device.
Unfortunately, the GulfTech team also uncovered a few command injection flaws.
Researchers also found that since any unauthenticated user can set the global language preferences for the entire storage device and all of its users, it is possible for an attacker to abuse this functionality to cause a DoS condition to the web interface.
According to researchers, it is possible for an attacker to dump a list of all users, including detailed user information without requiring any authentication, by simply making use of a simple request to the web server like this: GET /api/2.1/rest/users? HTTP/1.1
Western Digital's My Cloud and My Cloud Mirror firmware version 2.30.165 and earlier are affected by all above-reported vulnerabilities.
Affected device models include My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.
Metasploit modules for all the vulnerabilities have been released online.
Western Digital's My Cloud (WDMyCloud) is one of the most popular network-attached storage devices which is being used by individuals and businesses to host their files, and automatically backup and sync them with various cloud and web-based services.
The device lets users not only share files in a home network, but the private cloud feature also allows them to access their data from anywhere at any time.
Since these devices have been designed to be connected over the Internet, the hardcoded backdoor would leave user data open to hackers.
GulfTech research and development team has recently published an advisory detailing a hardcoded backdoor and several vulnerabilities it found in WD My Cloud storage devices that could allow remote attackers to inject their own commands and upload and download sensitive files without permission.
Noteworthy, James Bercegay of GulfTech contacted the vendor and reported the issues in June last year. The vendor confirmed the vulnerabilities and requested a period of 90 days until full disclosure.
On 3rd January (that's almost after 180 days), GulfTech publicly disclosed the details of the vulnerabilities, which are still unpatched.
Unrestricted File Upload Flaw Leads to Remote Exploitation
As the name suggests, this vulnerability allows a remote attacker to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices.
The vulnerability resides in "multi_uploadify.php" script due to the wrong implementation of gethostbyaddr() PHP function by the developers.
This vulnerability can also be easily exploited to gain a remote shell as root. For this, all an attacker has to do is send a post request containing a file to upload using the parameter Filedata[0]—a location for the file to be uploaded to which is specified within the "folder" parameter, and a fake "Host" header.
The researcher has also written a Metasploit module to exploit this vulnerability.
"The [metasploit] module will use this vulnerability to upload a PHP webshell to the "/var/www/" directory. Once uploaded, the webshell can be executed by requesting a URI pointing to the backdoor, and thus triggering the payload," the researcher writes.
Hard Coded Backdoor Leads to Remote Exploitation
Researchers also found the existence of a "classic backdoor"—with admin username "mydlinkBRionyg" and password "abc12345cba," which is hardcoded into the binary and cannot be changed.
So, anyone can just log into WD My Cloud devices with these credentials.
Also, using this backdoor access, anyone can access the buggy code which is vulnerable to command injection and spawn a root shell.
"The triviality of exploiting this issues makes it very dangerous, and even wormable," the researcher notes. "Not only that, but users locked to a LAN are not safe either."
"An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc."
Other Vulnerabilities in Western Digital's My Cloud
Besides these two above-mentioned critical vulnerabilities, researchers also reported some other below-explained important flaws:
Cross-site request forgery:
Due to no real XSRF protection within the WD My Cloud web interface, any malicious site can potentially make a victim's web browser connect to a My Cloud device on the network and compromise it.
Simply visiting a booby-trapped website would be enough to lose control of your My Cloud device.
Command injection:
In March last year, a member of the Exploitee.rs team discovered several command injection issues within the WD My Cloud devices, which can be combined with the XSRF flaw to gain complete control (root access) of the affected device.
Unfortunately, the GulfTech team also uncovered a few command injection flaws.
Denial of Service:
Researchers also found that since any unauthenticated user can set the global language preferences for the entire storage device and all of its users, it is possible for an attacker to abuse this functionality to cause a DoS condition to the web interface.
Information disclosure:
According to researchers, it is possible for an attacker to dump a list of all users, including detailed user information without requiring any authentication, by simply making use of a simple request to the web server like this: GET /api/2.1/rest/users? HTTP/1.1
Affected My Cloud Firmware Versions and Models
Western Digital's My Cloud and My Cloud Mirror firmware version 2.30.165 and earlier are affected by all above-reported vulnerabilities.
Affected device models include My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.
Metasploit modules for all the vulnerabilities have been released online.