Sign-up

ID

VAR-E-201701-0323


CVE

cve_id:CVE-2018-17153

Trust: 1.3

cve_id:CVE-2016-10108

Trust: 0.8

sources: BID: 105359 // BID: 95200 // PACKETSTORM: 149429 // PACKETSTORM: 173802

TITLE

Western Digital My Cloud Authentication Bypass

Trust: 0.5

sources: PACKETSTORM: 149429

DESCRIPTION

It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the My Cloud device. This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.30.172. This issue is not limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code.

Trust: 0.5

sources: PACKETSTORM: 149429

AFFECTED PRODUCTS

vendor:westernmodel:digital my cloud authenticationscope: - version: -

Trust: 0.5

vendor:westernmodel:digital mycloud unauthenticatedscope: - version: -

Trust: 0.5

vendor:westernmodel:digital my cloud wdbctl0020hwtscope:eqversion:2.30.172

Trust: 0.3

vendor:westernmodel:digital my cloud pr4100scope:eqversion:0

Trust: 0.3

vendor:westernmodel:digital my cloud pr2100scope:eqversion:0

Trust: 0.3

vendor:westernmodel:digital my cloud mirror genscope:eqversion:20

Trust: 0.3

vendor:westernmodel:digital my cloud mirrorscope:eqversion:0

Trust: 0.3

vendor:westernmodel:digital my cloud ex4100scope:eqversion:0

Trust: 0.3

vendor:westernmodel:digital my cloud ex4scope:eqversion:0

Trust: 0.3

vendor:westernmodel:digital my cloud ex2100scope:eqversion:0

Trust: 0.3

vendor:westernmodel:digital my cloud ex2 ultrascope:eqversion:0

Trust: 0.3

vendor:westernmodel:digital my cloud ex2scope:eqversion:0

Trust: 0.3

vendor:westernmodel:digital my cloud dl4100scope:eqversion:0

Trust: 0.3

vendor:westernmodel:digital my cloud dl2100scope:eqversion:0

Trust: 0.3

vendor:westernmodel:digital mycloud nasscope:eqversion:2.11.142

Trust: 0.3

sources: BID: 105359 // BID: 95200 // PACKETSTORM: 149429 // PACKETSTORM: 173802

EXPLOIT

------------------------------------------------------------------------
Authentication bypass vulnerability in Western Digital My Cloud allows
escalation to admin privileges
------------------------------------------------------------------------
Remco Vermeulen, September 2018

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Western Digital My Cloud is affected by an
authentication bypass vulnerability. An unauthenticated attacker can
exploit this vulnerability to authenticate as an admin user without
needing to provide a password, thereby gaining full control of the My
Cloud device.

------------------------------------------------------------------------
References
------------------------------------------------------------------------
CVE-2018-17153

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This vulnerability was successfully verified on a Western Digital My
Cloud model WDBCTL0020HWT running firmware version 2.30.172. This issue
is not limited to the model that was used to find this vulnerability
since most of the products in the My Cloud series share the same
(vulnerable) code.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------

Whenever an admin authenticates, a server-side session is created that is bound to the user's IP address. After the session is created it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.

It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to authenticate. The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie.

Proof of concept

The following steps can be used to exploit this issue. First, establish an admin session tied to the IP of the requester:

POST /cgi-bin/network_mgr.cgi HTTP/1.1
Host: wdmycloud.local
Content-Type: application/x-www-form-urlencoded
Cookie: username=admin
Content-Length: 23

cmd=cgi_get_ipv6&flag=1

Next, call an endpoint (e.g., cgi_get_ssh_pw_status) that requires admin privileges and authenticate as admin by adding the cookie username=admin.

Setting the cookie in the browser through the console before visiting the dashboard will authenticate the user as the administrator.

Timeline

- 09 April 2017: Discovered vulnerability.
- 10 April 2017: Reported to Western Digital customer support.
- ...: No more vendor response :/
- 17 September 2018: Requested CVE
- 18 September 2018: CVE-2018-17153 assigned
- 18 September 2018: Published details

Trust: 0.5

sources: PACKETSTORM: 149429

EXPLOIT HASH

LOCAL

SOURCE

md5: 8137c7cec868dfc1cc789683ce268ce8
sha-1: 04ffdb27d857215ad53f7241a7e2b027fb1097da
sha-256: d932fe2ac618b65b67fd2884481f4279bcc3c61802d9521bc7877fecf8dee16b
md5: 8137c7cec868dfc1cc789683ce268ce8

Trust: 0.5

sources: PACKETSTORM: 149429

PRICE

free

Trust: 0.5

sources: PACKETSTORM: 149429

TYPE

bypass

Trust: 0.5

sources: PACKETSTORM: 149429

TAGS

tag:exploit

Trust: 1.0

tag:bypass

Trust: 0.5

tag:remote

Trust: 0.5

tag:web

Trust: 0.5

tag:cgi

Trust: 0.5

tag:root

Trust: 0.5

tag:php

Trust: 0.5

tag:vulnerability

Trust: 0.5

tag:code execution

Trust: 0.5

sources: PACKETSTORM: 149429 // PACKETSTORM: 173802

CREDITS

Securify B.V., Remco Vermeulen

Trust: 0.5

sources: PACKETSTORM: 149429

EXTERNAL IDS

db:NVDid:CVE-2018-17153

Trust: 1.3

db:NVDid:CVE-2016-10108

Trust: 0.8

db:PACKETSTORMid:149429

Trust: 0.5

db:PACKETSTORMid:173802

Trust: 0.5

db:BIDid:105359

Trust: 0.3

db:BIDid:95200

Trust: 0.3

sources: BID: 105359 // BID: 95200 // PACKETSTORM: 149429 // PACKETSTORM: 173802

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2018-17153

Trust: 1.0

url:https://www.wdc.com

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2016-10108

Trust: 0.5

url:https://www.securify.nl/advisory/sfy20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html

Trust: 0.3

url:https://blog.westerndigital.com/western-digital-my-cloud-update/

Trust: 0.3

url:https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/

Trust: 0.3

sources: BID: 105359 // BID: 95200 // PACKETSTORM: 149429 // PACKETSTORM: 173802

SOURCES

db:BIDid:105359
db:BIDid:95200
db:PACKETSTORMid:149429
db:PACKETSTORMid:173802

LAST UPDATE DATE

2023-12-13T13:21:29.676000+00:00


SOURCES UPDATE DATE

db:BIDid:105359date:2018-09-19T00:00:00
db:BIDid:95200date:2017-01-12T00:11:00

SOURCES RELEASE DATE

db:BIDid:105359date:2018-09-19T00:00:00
db:BIDid:95200date:2017-01-03T00:00:00
db:PACKETSTORMid:149429date:2018-09-19T01:49:46
db:PACKETSTORMid:173802date:2023-07-28T14:03:45