Western Digital My Cloud Command Injection / File Upload

`SEC Consult Vulnerability Lab Security Advisory < 20170307-0 >  
=======================================================================  
title: Unauthenticated OS command injection & arbitrary file upload  
product: Western Digital My Cloud  
vulnerable version: at least: 2.21.126 (My Cloud), 2.11.157(My Cloud EX2),  
2.21.126 (My Cloud EX2 Ultra), 2.11.157 (My Cloud EX4),  
2.21.126 (My Cloud EX2100), 2.21.126 (My Cloud EX4100),  
2.11.157 (My Cloud Mirror), 2.21.126 (My Cloud Mirror  
Gen2), 2.21.126 (My Cloud PR2100), 2.21.126 (My Cloud  
PR4100), 2.21.126 (My Cloud DL2100), 2.21.126 (My Cloud  
DL4100)  
fixed version: -  
CVE number: -  
impact: Critical  
homepage: https://www.wdc.com/en-um/  
found: 2017-01-17  
by: Wan Ikram (Office Kuala Lumpur)  
Fikri Fadzil (Office Kuala Lumpur)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"Reliable, centralized personal storage with automatic backup that plugs into  
your own home network. Share whatever you want, anywhere you have an Internet  
connection."  
  
Source: https://www.wdc.com/products/personal-cloud-storage/my-cloud.html  
  
  
Business recommendation:  
------------------------  
By combining the vulnerabilities documented in this advisory an attacker  
can fully compromise a WD My Cloud device. In the worst case one could steal  
sensitive data stored on the device or use it as a jump host for further  
internal attacks.  
  
SEC Consult recommends not to attach WD My Cloud to the network until  
a thorough security review has been performed by security professionals and  
all identified issues have been resolved.  
  
  
Vulnerability overview/description:  
-----------------------------------  
The firmware doesn't apply proper validation on many user inputs. As a  
result, below vulnerabilities could be exploited by unauthenticated attackers  
to fully compromise the device.  
  
1. Unauthenticated OS Command Injection  
Any OS commands can be injected by unauthenticated attackers. This is a  
serious vulnerability as the chances for the device to be fully compromise is  
very high.  
  
2. Unauthenticated Arbitrary File Upload  
A malicious file can be uploaded into the webserver with no authentication  
required. It is possible for an attacker to upload a script to issue operating  
system commands.  
  
3. Cross Site Request Forgery (CSRF)  
There is no anti-CSRF mechanism implemented in the firmware. Due to this, an  
attacker can force a user to execute any action through any script. As the  
vulnerabilities described in 1) and 2) do not need authentication, those can  
be exploited via CSRF over the Internet as well!  
  
  
Proof of concept:  
-----------------  
1. Unauthenticated OS Command Injection  
Below is a sample cURL request to execute arbitrary OS command for one of  
vulnerable scripts.  
  
$ curl  
http://$IP/web/addons/jqueryFileTree.php?host=x&pwd=x&user=x&dir=x&lang=x\"\;  
<os-command-here>\; echo \"x  
  
  
2. Unauthenticated Arbitrary File Upload  
Below is the cURL request to upload arbitrary files on the webserver.  
  
$ curl -F "[email protected]"  
http://$IP/web/addons/upload.php?name=x&folder=<target-upload-directory>&index=<script-name>  
  
  
3. Cross Site Request Forgery (CSRF)  
There is no anti-CSRF mechanism implemented for all accessible scripts in the  
firmware.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following device & firmware has been tested and found to be vulnerable:  
2.11.157 (My Cloud EX2)  
  
As the firmware used by all My Cloud devices are more or less similar, we  
believe the other versions are also prone to the same vulnerabilities. This could  
be verified by using the IoT Inspector software for automated firmware analysis.  
  
  
Vendor contact timeline:  
------------------------  
2017-01-18: Contacting vendor through "WD Support - Create a Support Case"  
page (https://support.wdc.com/support/case.aspx?lang=en).  
Assigned ticket number - 011817-11728265.  
2017-01-19: Vendor: replies to the ticket asking for more clarification.  
2017-01-20: Replied to the vendor, requesting security contact and encryption keys  
2017-01-23: Vendor: "we don't have a security department that we could forward  
this concern"  
2017-01-23: Telling support that there seems to be a security contact by  
referencing other WD advisories, requesting security contact again  
2017-01-24: Vendor: asking for affected product name and firmware version.  
2017-01-24: Providing list of affected product name and firmware versions,  
requesting security contact again  
2017-01-25: Vendor: informs us that they "have already escalated the case from  
their back end team", they will update us.  
2017-02-09: Requesting a status update  
2017-02-10: Vendor (support): back end team is already informed, they will follow  
up  
2017-02-10: Vendor security contact emails us  
2017-02-16: Asking for encryption information to send advisory  
2017-02-16: Vendor (security contact): requests security advisory to be shared  
over unencrypted channel  
2017-02-20: Provided advisory and proof of concept through insecure channel as  
requested  
2017-02-21: Vendor (security contact): requesting extension of deadline to a  
period of 90 days from the date of detail disclosure  
2017-02-22: Informing the vendor that we grant extension of disclosure but not  
from detail disclosure date (2017-02-20), but from initial contact  
date (2017-01-18) as they could have reacted faster in the first place  
Set latest disclosure date to 2017-04-19 (no answer from vendor)  
2017-03-03: 3rd party researcher discloses many 0-days, containing our findings as  
well, https://www.exploitee.rs/index.php/Western_Digital_MyCloud  
2017-03-07: Informing vendor security contact of our public disclosure  
2017-03-07: Public disclosure of advisory  
  
  
Solution:  
---------  
There is currently no update available from the vendor.  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/Career.htm  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Fikri Fadzil / @2017  
  
`