WD My Cloud RCE PoC Exploit
WD My Cloud EX2 Ultra versions 2.31.149 and 2.31.163.
Should work on other MyCloud models.
for the write-up go here.
login_mgr.cgimatches credentials against
/etc/shadow, therefore the
"nobody"account can be used to gain a low-privilege user session by providing "nobody"'s default, empty password.
cgi-bin/webfile_mgr.cgiallows an attacker in the same network to perform command injection by abusing the
"name"parameter to the
cgi-bin/webfile_mgr.cgiallows an attacker in the same network to issue the
cgi_untarcommand on a user-controlled archive to create a persistent symbolic link on the filesystem which can be written into by issuing the command again.
web/jquery/uploader/uploadify.php can be accesses without any credentials and allows uploading arbitrary files to any location on the attached storage under either:
🍄reported to email@example.com with 30-day deadline
ᴡᴅsent an automated(?) response
🍄requested comfirmation of issues
ᴡᴅasked for 90 days to fix the issues
🍄requested status update
ᴡᴅasked for additional 90-day extension
🍄agreed on 30-day extension
ᴡᴅreleased first patch (CVE-2019-9950, CVE-2019-9951)
ᴡᴅrelease of second patch (CVE-2019-9949)