Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges

Abstract

It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the My Cloud device.

The Exploitee.rs independently discovered and disclosed the same vulnerability.

Tested versions

This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.30.172. This issue is not limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code.

Fix

There is currently no fix available.

Introduction

Western Digital My Cloud is a low-cost entry-level network-attached storage device. It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability that allows an unauthenticated user to create an admin session that is tied to her IP address. By exploiting this issue an unauthenticated attacker can run commands that would normally require admin privileges and gain complete control of the My Cloud device.

The issue was discovered while reverse engineering the CGI binaries to look for security issues.

Details

Whenever an admin authenticates, a server-side session is created that is bound to the user's IP address. After the session is created it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.

It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to authenticate. The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie.

Proof of concept

The following steps can be used to exploit this issue. First, establish an admin session tied to the IP of the requester:

POST /cgi-bin/network_mgr.cgi HTTP/1.1
Host: wdmycloud.local
Content-Type: application/x-www-form-urlencoded
Cookie: username=admin
Content-Length: 23
 
cmd=cgi_get_ipv6&flag=1

Next, call an endpoint (e.g., cgi_get_ssh_pw_status) that requires admin privileges and authenticate as admin by adding the cookie username=admin.

Setting the cookie in the browser through the console before visiting the dashboard will authenticate the user as the administrator.

The following proof of concept demonstrates an attack abusing a user's browser to remotely compromise a MyCloud device on a local network.

Timeline

  • 09 April 2017: Discovered vulnerability.
  • 10 April 2017: Reported to Western Digital customer support.
  • ...: No more vendor response :/
  • 17 September 2018: Requested CVE
  • 18 September 2018: CVE-2018-17153 assigned
  • 18 September 2018: Published details

References

CVE-2018-17153

Questions or feedback?