Security researchers have discovered several severe vulnerabilities and a secret hard-coded backdoor in Western Digital’s My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device.
Western Digital’s My Cloud (WDMyCloud) is one of the most popular network-attached storage devices which is being used by individuals and businesses to host their files, and automatically backup and sync them with various cloud and web-based services.
The device lets users not only share files in a home network, but the private cloud feature also allows them to access their data from anywhere at any time.
Since these devices have been designed to be connected over the Internet, the hardcoded backdoor would leave user data open to hackers.
GulfTech research and development team has recently published an advisory detailing a hardcoded backdoor and several vulnerabilities it found in WD My Cloud storage devices that could allow remote attackers to inject their own commands and upload and download sensitive files without permission.
Noteworthy, James Bercegay of GulfTech contacted the vendor and reported the issues in June last year. The vendor confirmed the vulnerabilities and requested a period of 90 days until full disclosure.
On 3rd January (that’s almost after 180 days), GulfTech publicly disclosed the details of the vulnerabilities, which are still unpatched.
Unrestricted File Upload Flaw Leads to Remote Exploitation
As the name suggests, this vulnerability allows a remote attacker to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices.
The vulnerability resides in “multi_uploadify.php” script due to the wrong implementation of gethostbyaddr() PHP function by the developers.
This vulnerability can also be easily exploited to gain a remote shell as root. For this, all an attacker has to do is send a post request containing a file to upload using the parameter Filedata—a location for the file to be uploaded to which is specified within the “folder” parameter, and a fake “Host” header.
The researcher has also written a Metasploit module to exploit this vulnerability.
“The [metasploit] module will use this vulnerability to upload a PHP webshell to the “/var/www/” directory. Once uploaded, the webshell can be executed by requesting a URI pointing to the backdoor, and thus triggering the payload,” the researcher writes.
Hard Coded Backdoor Leads to Remote Exploitation
Researchers also found the existence of a “classic backdoor”—with admin username “mydlinkBRionyg” and password “abc12345cba,” which is hardcoded into the binary and cannot be changed.
To read the original article: