module
Western Digital MyCloud unauthenticated command injection
| Disclosed | Created |
|---|---|
| 2016-12-14 | 2023-07-28 |
Disclosed
2016-12-14
Created
2023-07-28
Description
This module exploits authentication bypass (CVE-2018-17153) and
command injection (CVE-2016-10108) vulnerabilities in Western
Digital MyCloud before 2.30.196 in order to achieve
unauthenticated remote code execution as the root user.
The module first performs a check to see if the target is
WD MyCloud. If so, it attempts to trigger an authentication
bypass (CVE-2018-17153) via a crafted GET request to
/cgi-bin/network_mgr.cgi. If the server responds as expected,
the module assesses the vulnerability status by attempting to
exploit a commend injection vulnerability (CVE-2016-10108) in
order to print a random string via the echo command. This is
done via a crafted POST request to /web/google_analytics.php.
If the server is vulnerable, the same command injection vector
is leveraged to execute the payload.
This module has been successfully tested against Western Digital
MyCloud version 2.30.183.
Note: based on the available disclosures, it seems that the
command injection vector (CVE-2016-10108) might be exploitable
without the authentication bypass (CVE-2018-17153) on versions
before 2.21.126. The obtained results on 2.30.183 imply that
the patch for CVE-2016-10108 did not actually remove the command
injection vector, but only prevented unauthenticated access to it.
command injection (CVE-2016-10108) vulnerabilities in Western
Digital MyCloud before 2.30.196 in order to achieve
unauthenticated remote code execution as the root user.
The module first performs a check to see if the target is
WD MyCloud. If so, it attempts to trigger an authentication
bypass (CVE-2018-17153) via a crafted GET request to
/cgi-bin/network_mgr.cgi. If the server responds as expected,
the module assesses the vulnerability status by attempting to
exploit a commend injection vulnerability (CVE-2016-10108) in
order to print a random string via the echo command. This is
done via a crafted POST request to /web/google_analytics.php.
If the server is vulnerable, the same command injection vector
is leveraged to execute the payload.
This module has been successfully tested against Western Digital
MyCloud version 2.30.183.
Note: based on the available disclosures, it seems that the
command injection vector (CVE-2016-10108) might be exploitable
without the authentication bypass (CVE-2018-17153) on versions
before 2.21.126. The obtained results on 2.30.183 imply that
the patch for CVE-2016-10108 did not actually remove the command
injection vector, but only prevented unauthenticated access to it.
Authors
Erik Wynter
Steven Campbell
Remco Vermeulen
Steven Campbell
Remco Vermeulen
Platform
Linux,Unix
Architectures
armle, cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.