WD My Cloud RCE PoC Exploit
Tested on WD My Cloud EX2 Ultra versions 2.31.149 and 2.31.163.
Should work on other MyCloud models.
for the write-up go here.
Authentication bypass to acquire user-session (CVE-2019-9950)
login_mgr.cgimatches credentials against/etc/shadow, therefore the"nobody"account can be used to gain a low-privilege user session by providing "nobody"'s default, empty password.
Root-RCE using low-privilege session (CVE-2019-9949)
-
cgi-bin/webfile_mgr.cgiallows an attacker in the same network to perform command injection by abusing the"name"parameter to thecgi_unzipcommand. -
cgi-bin/webfile_mgr.cgiallows an attacker in the same network to issue thecgi_untarcommand on a user-controlled archive to create a persistent symbolic link on the filesystem which can be written into by issuing the command again.
Unauthenticated file upload (CVE-2019-9951)
The page web/jquery/uploader/uploadify.php can be accesses without any credentials and allows uploading arbitrary files to any location on the attached storage under either:
/mnt/HD/mnt/USB/mnt/isoMount
Disclosure timeline
- 2019-01-20
π reported to psirt@wdc.com with 30-day deadline - 2019-01-22
α΄‘α΄sent an automated(?) response - 2019-02-05
π requested comfirmation of issues - 2019-02-06
α΄‘α΄asked for 90 days to fix the issues - 2019-03-05
π requested status update - 2019-03-15
α΄‘α΄asked for additional 90-day extension - 2019-03-16
π agreed on 30-day extension - 2019-03-27
α΄‘α΄released first patch (CVE-2019-9950, CVE-2019-9951) - 2019-05-20
α΄‘α΄release of second patch (CVE-2019-9949) - 2019-05-22
π public disclosure