My Cloud NAS device, which is most popular with Western data, has a large number of high-risk vulnerabilities.

My Cloud NAS device, which is most popular with Western data, has a large number of high-risk vulnerabilities.

Security researchers found several serious vulnerabilities and a hard-coded backdoor program on My Cloud NAS device at Western Digital, these vulnerabilities may allow remote attackers to access devices without restriction.

Western Data's My Cloud (WD My Cloud) series of NAS devices are one of the most popular network-connected storage devices that individuals and enterprises are using to host their files, and automatically back up and synchronize their various cloud and Web-based services.

This device not only allows users to share files in the home network, but also allows users to access their data anytime and anywhere.

These devices are designed to be connected over the Internet. Therefore, the hardware encoding will enable user data to be available to hackers.

GulfTech's research and development team recently released a proposal to detail hard-coded backdoors and vulnerabilities in WD My Cloud storage devices that may allow remote attackers to inject their own commands, upload and download sensitive files without permission.

It is worth noting that James Bercegay, a researcher from GulfTech, contacted the vendor and reported the issues in last June. The vendor also confirmed these vulnerabilities and said they will be fixed within 90 days.

However, these vulnerabilities were not fixed until January 3 this year (nearly 180 days) and until GulfTech publicly disclosed the details.

Unrestricted File Upload Vulnerability

As the name suggests, this vulnerability allows remote attackers to upload an arbitrary file to a networked server using vulnerable storage devices.

Because western data mistakenly implements the gethostbyaddr () PHP function, this vulnerability resides in the "multi_uploadify.php" script.

This vulnerability can also be easily exploited to obtain remote shell as root. Therefore, the attacker must send a request containing the file to be uploaded, use the Filedata parameter [0] (in the "folder" parameter, specify the location of the file to be uploaded and the counterfeit host title name ).

Researchers have also compiled a Metasploit module to exploit this vulnerability.

"The [metasploit] module will use this vulnerability to upload the PHP webshell to the '/var/www/' directory. Once uploaded, The webshell can request a URI pointing to the backdoor to execute the request, thus triggering the load ." The researchers wrote.

Hardcoded Backdoor

The researchers also found that there was a typical BackDoor-the administrator username "mydlinkBRionyg" and password "abc12345cba", which was hardcoded into a binary file and could not be changed.

Therefore, anyone can use these creden。 to log on to the WD My Cloud device. In addition, with this backdoor, anyone can access the vulnerability that is vulnerable to command injection attacks and generate a root shell.

The researchers pointed out: "attackers can access a website and request one of the default host names of WD My Cloud to vulnerable devices using an embedded iframe or img tag, for example, 'wdmycloud' and 'wdmycloudmirror 'can directly hijack users' devices."

Other vulnerabilities

In addition to the two critical vulnerabilities mentioned above, in the recommendations released by GulfTech, the researchers also introduced several other critical vulnerabilities:

Cross-Site Request Forgery

Because the WD My Cloud Web interface does not provide real XSRF protection, attackers can trick victims into clicking on the malicious network they set, then, the victim's Web browser connects to the connected My Cloud device and launches an attack on the device.

In other words, you only need a bait website to lose control of My Cloud devices.

Command Injection

Exploitee. one rs team member found multiple Command Injection problems on the WD My Cloud device, which may be combined with XSRF vulnerabilities, to obtain full control of the affected device (root access permission ).

Unfortunately, researchers at GulfTech also found several command injection vulnerabilities.

Denial of Service

The researchers also found that attackers may abuse this feature because any unauthenticated user can set global language preferences for the entire storage device and all its users, this causes DoS on the Web interface.

Information Leakage

According to researchers, attackers can simply send a simple request (such as "GET/api/2.1/rest/users? HTTP/1.1 ") to dump the list of all users, including detailed user information without any authentication.

Affected cloud firmware versions and Models

Western Digital's My Cloud and My Cloud Mirror firmware versions 2.30.165 and earlier are affected by all of the preceding vulnerabilities.

Affected device models include My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud EX4100, My cloud DL2100 and My Cloud DL4100.

In addition, the Metasploit module for all vulnerabilities has been released online.