SSD Advisory – Western Digital My Cloud Pro Series PR2100 Authenticated RCE
Credit to Author: SSD / Noam Rathaus| Date: Wed, 21 Mar 2018 14:48:51 +0000
Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope
Vulnerability Summary
A vulnerability in the Western Digital My Cloud Pro Series PR2100 allows authenticated users to execute commands arbitrary commands.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor Response
The vendor was notified on the 28th of November 2017, and responded that they take security seriously and will be fixing this vulnerability promptly, repeated attempts to get a timeline or fix failed, the last update received from them was on the 31st of Jan 2018, no further emails sent to the vendor were responded. We are not aware of any fix or remediation for this vulnerability.
Vulnerability Details
In detail, due to a logic flaw, with a forged HTTP request it is possible to bypass the authentication for HTTP basic and HTTP digest login types.
Log into the web application using a low privilege user, once the main page loads, find in burp proxy history for a request to “/cgi-bin/home_mgr.cgi”
The last line can be replaced with
1 | cmd=7&f_user=abcd$(ping x.x.x.x) |
Or:
1 | cmd=7&f_user=abcd$(mkdir /tmp/nshctest) |
This means you can run any Linux command and it would execute. But there will be no feedback in the response.