SEC Consult SA-20170307-0 :: Unauthenticated OS command injection & arbitrary file upload in Western Digital WD My Cloud

--------------ms070205030000000106040806
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

SEC Consult Vulnerability Lab Security Advisory < 20170307-0 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
              title: Unauthenticated OS command injection & arbitrary fil=
e upload
            product: Western Digital My Cloud
 vulnerable version: at least: 2.21.126 (My Cloud), 2.11.157(My Cloud EX2=
),
                     2.21.126 (My Cloud EX2 Ultra), 2.11.157 (My Cloud EX=
4),
                     2.21.126 (My Cloud EX2100), 2.21.126 (My Cloud EX410=
0),
                     2.11.157 (My Cloud Mirror), 2.21.126 (My Cloud Mirro=
r
                     Gen2), 2.21.126 (My Cloud PR2100), 2.21.126 (My Clou=
d
                     PR4100), 2.21.126 (My Cloud DL2100), 2.21.126 (My Cl=
oud
                     DL4100)
      fixed version: -
         CVE number: -
             impact: Critical
           homepage: https://www.wdc.com/en-um/
              found: 2017-01-17
                 by: Wan Ikram (Office Kuala Lumpur)
                     Fikri Fadzil (Office Kuala Lumpur)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Mo=
scow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Z=
urich

                     https://www.sec-consult.com

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Vendor description:
-------------------
"Reliable, centralized personal storage with automatic backup that plugs =
into
your own home network. Share whatever you want, anywhere you have an Inte=
rnet
connection."

Source: https://www.wdc.com/products/personal-cloud-storage/my-cloud.html=



Business recommendation:
------------------------
By combining the vulnerabilities documented in this advisory an attacker
can fully compromise a WD My Cloud device. In the worst case one could st=
eal
sensitive data stored on the device or use it as a jump host for further
internal attacks.

SEC Consult recommends not to attach WD My Cloud to the network until
a thorough security review has been performed by security professionals a=
nd
all identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
The firmware doesnt apply proper validation on many user inputs. As a
result, below vulnerabilities could be exploited by unauthenticated attac=
kers
to fully compromise the device.

1. Unauthenticated OS Command Injection
Any OS commands can be injected by unauthenticated attackers. This is a
serious vulnerability as the chances for the device to be fully compromis=
e is
very high.

2. Unauthenticated Arbitrary File Upload
A malicious file can be uploaded into the webserver with no authenticatio=
n
required. It is possible for an attacker to upload a script to issue oper=
ating
system commands.

3. Cross Site Request Forgery (CSRF)
There is no anti-CSRF mechanism implemented in the firmware. Due to this,=
 an
attacker can force a user to execute any action through any script. As th=
e
vulnerabilities described in 1) and 2) do not need authentication, those =
can
be exploited via CSRF over the Internet as well!


Proof of concept:
-----------------
1. Unauthenticated OS Command Injection
Below is a sample cURL request to execute arbitrary OS command for one of=

vulnerable scripts.

$ curl
http://$IP/web/addons/jqueryFileTree.php?host=3Dx&pwd=3Dx&user=3Dx&dir=3D=
x&lang=3Dx";
<os-command-here>; echo "x


2. Unauthenticated Arbitrary File Upload
Below is the cURL request to upload arbitrary files on the webserver.

$ curl -F "file=3D@shell.php"
http://$IP/web/addons/upload.php?name=3Dx&folder=3D<target-upload-directo=
ry>&index=3D<script-name>


3. Cross Site Request Forgery (CSRF)
There is no anti-CSRF mechanism implemented for all accessible scripts in=
 the
firmware.


Vulnerable / tested versions:
-----------------------------
The following device & firmware has been tested and found to be vulnerabl=
e:
2.11.157 (My Cloud EX2)

As the firmware used by all My Cloud devices are more or less similar, we=

believe the other versions are also prone to the same vulnerabilities. Th=
is could
be verified by using the IoT Inspector software for automated firmware an=
alysis.


Vendor contact timeline:
------------------------
2017-01-18: Contacting vendor through "WD Support - Create a Support Case=
"
            page (https://support.wdc.com/support/case.aspx?lang=3Den).
            Assigned ticket number - 011817-11728265.
2017-01-19: Vendor: replies to the ticket asking for more clarification.
2017-01-20: Replied to the vendor, requesting security contact and encryp=
tion keys
2017-01-23: Vendor: "we dont have a security department that we could fo=
rward
            this concern"
2017-01-23: Telling support that there seems to be a security contact by
            referencing other WD advisories, requesting security contact =
again
2017-01-24: Vendor: asking for affected product name and firmware version=
=2E
2017-01-24: Providing list of affected product name and firmware versions=
,
            requesting security contact again
2017-01-25: Vendor: informs us that they "have already escalated the case=
 from
            their back end team", they will update us.
2017-02-09: Requesting a status update
2017-02-10: Vendor (support): back end team is already informed, they wil=
l follow
            up
2017-02-10: Vendor security contact emails us
2017-02-16: Asking for encryption information to send advisory
2017-02-16: Vendor (security contact): requests security advisory to be s=
hared
            over unencrypted channel
2017-02-20: Provided advisory and proof of concept through insecure chann=
el as
            requested
2017-02-21: Vendor (security contact): requesting extension of deadline t=
o a
            period of 90 days from the date of detail disclosure
2017-02-22: Informing the vendor that we grant extension of disclosure bu=
t not
            from detail disclosure date (2017-02-20), but from initial co=
ntact
            date (2017-01-18) as they could have reacted faster in the fi=
rst place
            Set latest disclosure date to 2017-04-19 (no answer from vend=
or)
2017-03-03: 3rd party researcher discloses many 0-days, containing our fi=
ndings as
            well, https://www.exploitee.rs/index.php/Western_Digital_MyCl=
oud
2017-03-07: Informing vendor security contact of our public disclosure
2017-03-07: Public disclosure of advisory


Solution:
---------
There is currently no update available from the vendor.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. I=
t
ensures the continued knowledge gain of SEC Consult in the field of netwo=
rk
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evalu=
ation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and v=
alid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consu=
lt?
Contact our local offices https://www.sec-consult.com/en/About/Contact.ht=
m
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Fikri Fadzil / @2017


--------------ms070205030000000106040806
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CxgwggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQsw
CQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4
dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTE0MTIyMjAwMDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAImxDdp6UxlOcFIdvFamBia3uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdh
TpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYepLkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak
+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayTQLm1CJM6nCpToxDbPSBhPFUDjtlOdiUC
ISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9UjewM2ktQ+v61qXxl3dnUYzZ7ifr
vKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3RhUL7GQD/L5OKfoiECAwEAAaOC
ARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBSSYWuC
4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFs
Q0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz
ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj
mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb
4yJjnFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ
26Y3NOh74AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT
9HaSyoY0B7ksyuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInl
tukWeh95FPZKEBom+nyK+5swggZhMIIFSaADAgECAhAriv4GJbNgG4KONRhUqx20MA0GCSqG
SIb3DQEBCwUAMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy
MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UE
AxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0EwHhcNMTcwMzAxMDAwMDAwWhcNMjAwMjI5MjM1OTU5WjCCAVcxCzAJBgNVBAYTAkFU
MQ0wCwYDVQQREwQyNzAwMRowGAYDVQQIExFOaWVkZXJvZXN0ZXJyZWljaDEVMBMGA1UEBxMM
V3IuIE5ldXN0YWR0MRkwFwYDVQQJExBLb21hcmlnYXNzZSAxNC8xMS4wLAYDVQQKEyVTRUMg
Q29uc3VsdCBVbnRlcm5laG1lbnNiZXJhdHVuZyBHbWJIMUkwRwYDVQQLE0BJc3N1ZWQgdGhy
b3VnaCBTRUMgQ29uc3VsdCBVbnRlcm5laG1lbnNiZXJhdHVuZyBHbWJIIEUtUEtJIE1hbmFn
MR8wHQYDVQQLExZDb3Jwb3JhdGUgU2VjdXJlIEVtYWlsMSYwJAYDVQQDEx1TRUMgQ29uc3Vs
dCBWdWxuZXJhYmlsaXR5IExhYjEnMCUGCSqGSIb3DQEJARYYcmVzZWFyY2hAc2VjLWNvbnN1
bHQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5+LisxDXcLwArMnTESPr
5G/6PY0xWAvPc81sZGgHbf4at31qtZn9eVMGAPx4nJShJVZsB3+0OavWSM1PvcsMgVp8ovIf
gnE05A/LZ4k38pMU+Zl0pcGx5TFQevKmCDwqV9JqLIoleIKHCeQVmZhGC7zccEYvKtvQqWsq
VJDFHPZisoIGl9YS048T8c9al1FQtIx3SDtxZhyigHI1t8kFAHloWGP8KCMIMX6g9FlTIlnQ
YFUAkQ/49KRyUDEHdRZey9hQLuvrgRKWZn1TxeTWW41IZKUQC6Lhb3LgrQzUQoR7dbdASh+3
sqiw1642dkyxChRoOptpoC1Wo5HLTELzYQIDAQABo4IB4DCCAdwwHwYDVR0jBBgwFoAUkmFr
guGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFBEBR5dneBkup36i0hf8pUVsEpMlMA4GA1Ud
DwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcD
AjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1odHRwczovL3Nl
Y3VyZS5jb21vZG8ubmV0L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9k
b2NhLmNvbS9DT01PRE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWls
Q0EuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21v
ZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFp
bENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCMGA1UdEQQc
MBqBGHJlc2VhcmNoQHNlYy1jb25zdWx0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAQ9HL1/pw
/3RSCgHwSKfAejchG11KoLrm+7xdqBC1nVgJaQeX8smjraljd1PAL4KthtNP0Tr+DNr4d4hQ
WwHz/LnB0iap44v8LTaHTDUbWYD5NsOg8sD1JMQI8Jt6vC7Im+9O/rHxmvhL18hWoK4aIK/k
QG7eOfO5UmurKh7StuhE3t4KKEQnSTUCy+kNe8ut4KZdRs+o+mpSH09ecLo99Qs/FuaZMTgh
hZWkcSC1YT1jQDIF3lRDk+/+HbQ0h34tgPi/wJlI/7moci7B2AzYWFeHWcrGnuE6kZkRWtQV
F/u1NODSMp1DU3EzHLueYNufSYLWHh+yyzNnaoP5u7oLeDGCBEEwggQ9AgEBMIGwMIGbMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm
b3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0y
NTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECECuK/gYls2Ab
go41GFSrHbQwDQYJYIZIAWUDBAIBBQCgggJhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTE3MDMwNzA5NDIxM1owLwYJKoZIhvcNAQkEMSIEIBkfJcDhyGRy
ZNpr1k3geKB1+hJdqFT0BYldGIyO+I8rMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEq
MAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwIC
AUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgcEGCSsGAQQBgjcQBDGBszCBsDCBmzELMAkG
A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9y
ZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAriv4GJbNgG4KO
NRhUqx20MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RP
IENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNh
dGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAriv4GJbNgG4KONRhUqx20MA0GCSqGSIb3DQEB
AQUABIIBACwbIE6uUINpkEFmwoCz6WJaVEj028sIvsYQX4IKYxVL8gXLxd8bhgdFkPzHKbk8
m6XwbZIp6KZI7a1lxJV4PsrJ5+OPV//6w6RYV887WSF/jBNRWRrH7htpdLO8/G6fHXPpICqf
8n/Vx0YOvFJ41KCop85hMvFEGHupS6hQgJpsmWyFpcLVOnMDdwQ9l00LM9nAJthd9j+PI40b
VpQ+V64+vCXXMqJP1ZUsHHVOG2fu7WzMCPPpTgGXb4BnASjnU84LnD1bOIu2gcRThHPeNwjV
UMu0a1g/azx2YT3LHmlgkWEjQsOFrYdxngbmFk+AjUO5xlsdzebnsoSbL0bWOLkAAAAAAAA=
--------------ms070205030000000106040806--