Security researchers have discovered several severe vulnerabilities in addition to also also a secret hard-coded backdoor in Western Digital’s My Cloud NAS devices in which could allow remote attackers to gain unrestricted root access to the device.
Western Digital’s My Cloud (WDMyCloud) is usually one of the most favorite network-attached storage devices which is usually being used by individuals in addition to also also businesses to host their files, in addition to also also automatically backup in addition to also also sync them with various cloud in addition to also also web-based services.
The device lets users not only share files in a home network, yet the private cloud feature also allows them to access their data through anywhere at any time.
Since these devices have been designed to be connected over the Internet, the hardcoded backdoor would likely leave user data open to hackers.
GulfTech research in addition to also also development team has recently published an advisory detailing a hardcoded backdoor in addition to also also several vulnerabilities the item found in WD My Cloud storage devices in which could allow remote attackers to inject their own commands in addition to also also upload in addition to also also download sensitive files without permission.
Noteworthy, James Bercegay of GulfTech contacted the vendor in addition to also also reported the issues in June last year. The vendor confirmed the vulnerabilities in addition to also also requested a period of 90 days until full disclosure.
On 3rd January (in which’s almost after 180 days), GulfTech publicly disclosed the details of the vulnerabilities, which are still unpatched.
Unrestricted File Upload Flaw Leads to Remote Exploitation
As the name suggests, This specific vulnerability allows a remote attacker to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices.
The vulnerability resides in “multi_uploadify.php” script due to the wrong implementation of gethostbyaddr() PHP function by the developers.
This specific vulnerability can also be easily exploited to gain a remote shell as root. just for This specific, all an attacker has to do is usually send a post request containing a file to upload using the parameter Filedata—a location for the file to be uploaded to which is usually specified within the “folder” parameter, in addition to also also a fake “Host” header.
The researcher has also written a Metasploit module to exploit This specific vulnerability.
“The [metasploit] module will use This specific vulnerability to upload a PHP webshell to the “/var/www/” directory. Once uploaded, the webshell can be executed by requesting a URI pointing to the backdoor, in addition to also also so triggering the payload,” the researcher writes.
Hard Coded Backdoor Leads to Remote Exploitation
Researchers also found the existence of a “classic backdoor”—with admin username “mydlinkBRionyg” in addition to also also password “abc12345cba,” which is usually hardcoded into the binary in addition to also also cannot be changed.
So, anyone can just log into WD My Cloud devices with these credentials.
Also, using This specific backdoor access, anyone can access the buggy code which is usually vulnerable to command injection in addition to also also spawn a root shell.
“The triviality of exploiting This specific issues makes the item very dangerous, in addition to also also even wormable,” the researcher notes. “Not only in which, yet users locked to a LAN are not safe either.”
“An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as ‘wdmycloud’ in addition to also also ‘wdmycloudmirror’ etc.”
different Vulnerabilities in Western Digital’s My Cloud
Besides these two above-mentioned critical vulnerabilities, researchers also reported some different below-explained important flaws:
Cross-site request forgery:
Due to no real XSRF protection within the WD My Cloud web interface, any malicious site can potentially make a victim’s web browser connect to a My Cloud device on the network in addition to also also compromise the item.
Simply visiting a booby-trapped website would likely be enough to lose control of your My Cloud device.
In March last year, a member of the Exploitee.rs team discovered several command injection issues within the WD My Cloud devices, which can be combined with the XSRF flaw to gain complete control (root access) of the affected device.
Unfortunately, the GulfTech team also uncovered a few command injection flaws.
Denial of Service:
Researchers also found in which since any unauthenticated user can set the global language preferences for the entire storage device in addition to also also all of its users, the item is usually possible for an attacker to abuse This specific functionality to cause a DoS condition to the web interface.
According to researchers, the item is usually possible for an attacker to dump a list of all users, including detailed user information without requiring any authentication, by simply doing use of a simple request to the web server like This specific: GET /api/2.1/rest/users? HTTP/1.1
Affected My Cloud Firmware Versions in addition to also also products
Western Digital’s My Cloud in addition to also also My Cloud Mirror firmware type 2.30.165 in addition to also also earlier are affected by all above-reported vulnerabilities.
Affected device products include My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 in addition to also also My Cloud DL4100.
Metasploit modules for all the vulnerabilities have been released online.