-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add wd_mycloud_unauthenticated_cmd_injection module and docs (CVE-2016-10108 and CVE-2018-17153) #18221
Add wd_mycloud_unauthenticated_cmd_injection module and docs (CVE-2016-10108 and CVE-2018-17153) #18221
Conversation
I will add docs later, but wanted to submit this ASAP since I only have access to my targeted for a limited time as mentioned (hopefully until Monday, but access may be cut off before) |
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ErikWynter for this module! It looks great! I just left a few comments. I also reviewed the HTTP trace you sent and it looks good. Please, can you also record a trace selecting the other target? I believe this one only shows the Linux Dropper target (Meterpreter session).
modules/exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection.rb
Outdated
Show resolved
Hide resolved
@cdelafuente-r7 Thanks for the review! I'll try to get to these tonight. I double checked the HTTPTrace I sent but it already includes both targets. Lines 1-1136 show the Unix target and then I switched to the Linux Dropper: |
Oh my bad! I got lost in the huge HTTP trace file and missed this. Thank you for the heads-up! |
@cdelafuente-r7 no worries, it was a ridiculously large trace file so I totally understand. I just pushed fixes for all the issues mentioned. I also fixed one print statement to be consistent with the others. It's working great:
|
btw I'll try and add the docs tomorrow |
Thanks for updating this! Everything looks good to me now. I land it once the documentation is ready. |
@cdelafuente-r7 I just added the docs too. Please let me know if anything else is needed. :) |
Everything looks good! I'll go ahead and land it. Thank you for your contribution! |
Release NotesThis adds an exploit module for an authentication bypass (CVE-2018-17153) and a command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196. The module first performs a check to validate if the target is vulnerable by attempting to leverage an authentication bypass followed by injecting a simple |
About
This change adds an exploit module for authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196.
Vulnerable Application
Western Digital MyCloud before 2.30.196. The module has been tested against 2.30.183.
Some notes:
For more info, see:
Target Information
I only have temporary access to the target and I haven't found a way to install a vulnerable target myself. Because of that, I will email a spool file to the msfdev team. This file has output from running the module with HTTPTRACE for both targets. I've taken this approach in the past, so I hope that is sufficient.
That being said, I did find this post with download links for WD MyCloud versions, but the links to the firmware no longer seem to work. The links to the source code do work.
Verification Steps
use exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection
set RHOSTS [IP]
set LHOST [IP]
exploit
Options
TARGETURI
The base path to WD MyCloud. The default value is
/
.Targets
Scenarios
Western Digital MyCloud 2.30.183 - Unix In-Memory
Western Digital MyCloud 2.30.183 - Linux Dropper