New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add wd_mycloud_multiupload_upload exploit #9248
Conversation
|
Thanks @Zenofex Please send a PCAP to msfdev [at] metasploit.com |
| ], | ||
| 'References' => | ||
| [ | ||
| ['URL', 'https://www.exploitee.rs/index.php/Western_Digital_MyCloud'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like it wants to be a deeplink to the actual vuln:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And if this is the first place the vuln has been properly documented, feel free to add a link to this PR:
If it's described in a published DEFCON talk, a link to that presentation or paper would be super handy, too.
|
So there's no CVE or BID or any other kind of reference number or name on this module. I'm pretty sure I recall you mentioning that you already disclosed to the vendor before DEFCON -- did they assign a ticket number or anything? I just would like to follow up with them and ask if they'd like us to assign a CVE for this. |
|
Hey todb, We disclosed to the vendor at DEFCON 25 and in the weeks after over email but they have been unresponsive. We do not have a CVE but are happy to do whatever you think is appropriate. I can add a link to the presentation slides and/or video as well, how would you like me to proceed? |
|
Yep, a link to the presentation material in the References would be super helpful. I'll bug them and see if I can't get a response myself. Thanks, @Zenofex ! |
|
Verified pcap, this looks good. Thanks @Zenofex |
|
Added the requested additional reference URLs. todb, let me know if anything is needed from me for the CVEs. |
|
Welp, it's been 9 days I haven't heard anything back -- and according to our CNA agreement, we shan't be assigning a CVE unless the vendor acknowledges. So, the lack of CVE shouldn't hold anything up, since we have decent secondary references. I'll bug CERT/CC and see if they can toss one our way. If so, I'll add it post-facto. |
|
Reported to CERT/CC, they have a tracking number VRF#17-12-JQCYD for it now. |
|
CVE Request 432582 for CVE ID filed. Bccause Western Digital has failed to acknowledge this vulnerability (despite the overwhelming evidence that it exists), Rapid7 is unable to assign a CVE ourselves. We've sent the request up to MITRE who can assign out of their block (we used to get these out of CERT/CC, but apparently that's now how it works anymore, which is fine). |
|
CVE-2017-17560 has been allocated for this. I think we're good to land this, right @bcoles ? I can either ninja-edit the references to include this on merging, or you can. |
|
@todb-r7 +1 looks good to me |
|
Added cve reference and landed 125a079 - thanks! |
Release NotesThis adds a Western Digital MyCloud unauthenticated command execution exploit, CVE-2017-17560. |
|
Woohoo, thanks everyone! |
This pull request adds a Western Digital MyCloud unauthenticated command execution exploit.
This module exploits a file upload vulnerability found in Western Digital's MyCloud NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php PHP script provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.This module was tested successfully on a MyCloud PR4100 with firmware version 2.30.172
Verification
msfconsoleuse exploit/linux/http/wd_mycloud_multiupload_uploadset RHOST [IP]checkrunExample Output