Skip to content
WD My Cloud PoC exploit
Python Shell
Branch: master
Clone or download
bnbdr
Latest commit 31ad7ed May 22, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md public disclosure May 22, 2019
exploit.py public disclosure May 22, 2019
payload.sh public disclosure May 22, 2019
wd.py public disclosure May 22, 2019

README.md

WD My Cloud RCE PoC Exploit

Tested on WD My Cloud EX2 Ultra versions 2.31.149 and 2.31.163. Should work on other MyCloud models.

for the write-up go here.

Authentication bypass to acquire user-session (CVE-2019-9950)

  • login_mgr.cgi matches credentials against /etc/shadow, therefore the "nobody" account can be used to gain a low-privilege user session by providing "nobody"'s default, empty password.

Root-RCE using low-privilege session (CVE-2019-9949)

  1. cgi-bin/webfile_mgr.cgi allows an attacker in the same network to perform command injection by abusing the "name" parameter to the cgi_unzip command.

  2. cgi-bin/webfile_mgr.cgi allows an attacker in the same network to issue the cgi_untar command on a user-controlled archive to create a persistent symbolic link on the filesystem which can be written into by issuing the command again.

Unauthenticated file upload (CVE-2019-9951)

The page web/jquery/uploader/uploadify.php can be accesses without any credentials and allows uploading arbitrary files to any location on the attached storage under either:

  • /mnt/HD
  • /mnt/USB
  • /mnt/isoMount

Disclosure timeline

  • 2019-01-20 🍄 reported to psirt@wdc.com with 30-day deadline
  • 2019-01-22 ᴡᴅ sent an automated(?) response
  • 2019-02-05 🍄 requested comfirmation of issues
  • 2019-02-06 ᴡᴅ asked for 90 days to fix the issues
  • 2019-03-05 🍄 requested status update
  • 2019-03-15 ᴡᴅ asked for additional 90-day extension
  • 2019-03-16 🍄 agreed on 30-day extension
  • 2019-03-27 ᴡᴅ released first patch (CVE-2019-9950, CVE-2019-9951)
  • 2019-05-20 ᴡᴅ release of second patch (CVE-2019-9949)
  • 2019-05-22 🍄 public disclosure
You can’t perform that action at this time.