My Cloud PR4100 / PR2100 Firmware Analysis


#310

Indeed, SMBv1 is still required by many devices, which is why I think it should remain as an option.

What bothers me is that there is no option to disable it on the My Cloud NAS devices. Worse yet is that advice to enable SMBv1 is typically given without any knowledge of the user’s hardware or circumstances. Maybe their devices don’t actually require SMBv1 and their only reason for wanting to enable it is because of the My Cloud NAS device, in which case the onus is on WD to fix their firmware so that SMBv1 is not required to make the device function as expected.

In my case, I use Kodi on several devices, and Windows XP on an old desktop computer I use from time to time, so permanently disabling SMBv1 is not something I can do just yet. However, I’m fully aware of the risks and do what I can to mitigate them by keeping my network behind a hardware firewall and being very careful about where I browse on the web. I also have not one, but two backup copies of everything (about 40TB of data, x3). If ransomware strikes, the people making the ransom demands can go pound sand because I’m prepared. Sadly, most people are not.

As for Kodi, there are workarounds if SMBv1 is disabled…


#311

After a bit of digging, I was finally able to determine the true origin of the Samba /etc/samba/smb.conf file and how it’s created.

Observing the network traffic of the dashboard eventually led me to the system_mgr.cgi combiled binary file. Furthermore, when one changes the Max SMB Protocol (SMB 1,2,3) setting on the dashboard, a cgi_smb2 command and a smb2enable value are sent to the system_mgr.cgi program for processing. Armed with this information, I used grep to perform a basic search, where searching for smb2enable yeilded no results, and searching for cgi_smb2 didn’t yeild much either.

# grep -inr "cgi_smb2" /var/www/cgi-bin/system_mgr.cgi
17739:cgi_smb2

This is where intuition comes into play, and since SMB settings are involved, I tried searching for that.

# grep -inr "smb" /var/www/cgi-bin/system_mgr.cgi
3867:libsmbif.so
17192:smb start >/dev/null 2>&1
17193:smb stop >/dev/null 2>&1
17194:/system_mgr/samba/smb2_enable
17195:smbcom >/dev/null 2>&1
17214:smbcmd -s >/dev/null 2>&1
17215:smbcmd -r >/dev/null 2>&1
17229:<smb2>%d</smb2>
17230:<smb>%d</smb>
17738:cgi_smb
17739:cgi_smb2

That’s better, now I have something to work with. The system_mgr.cgi program appears to stop and start the smb daemon, call compiled binary files named smbcom and smbcmd, handle XML tags, and reference a libsmbif.so compiled library file. A simple Linux find command (find / -name smbcom) was used to locate each of the files, then grep was used to perform a simple search. The smbcom file references smbcv, so I searched it too. Here are the results for each.

/usr/local/modules/usrsbin/smbcom

# grep -inr "smb" /usr/local/modules/usrsbin/smbcom
3849:SMB_VOL_NAME
3853:smb_dbg_flag
19557:/system_mgr/samba/smb2_enable
19612:.smb_ads.xml
19741:./smbcom
19742:./smbcom -d
19743:smbcom -v
19744:./smbcv
19745:./smbcv -d
19746:/tmp/smb_ips
19750:/var/www/xml/smb.xml
19751:killall -HUP smbd
19793:/mnt/%s/.systemfile/.smb.xml
19794:/mnt/%s/.systemfile/.smbm.xml
19795:/tmp/.smbm.xml
19821:/mnt/%s/.systemfile/.smb_ads.xml
19843:/etc/samba/smb.conf
19844:smb stop >/dev/null 2>&1
19846:smb start >/dev/null 2>&1
20098:passdb backend = smbpasswd
20139:smb2 leases = yes
20149:max protocol = SMB2
20157:max protocol = SMB3
20412:smb passwd file = /etc/samba/smbpasswd
20490:/usr/bin/smbclient
20491:/usr/bin/smbclient not exist!
20503:/etc/NAS_CFG/smbdfs.xml
20506:/etc/NAS_CFG/smbdfs_group.xml
20520:[smbcom %s]
20550:/usr/local/sbin/crud_share_db.sh create "%s" /etc/samba/smb.conf %s
20555:/usr/local/sbin/crud_share_db.sh create '%s' /etc/samba/smb.conf %s
20567:/usr/local/sbin/crud_share_db.sh delete "%s" /etc/samba/smb.conf false
20569:/usr/local/sbin/crud_share_db.sh delete '%s' /etc/samba/smb.conf false
20571:/usr/local/sbin/crud_share_db.sh create "%s" /etc/samba/smb.conf false
20573:/usr/local/sbin/crud_share_db.sh create '%s' /etc/samba/smb.conf false

/usr/local/modules/usrsbin/smbcmd

# grep -inr "smb" /usr/local/modules/usrsbin/smbcmd
3889:SMB_VOL_NAME
3893:smb_dbg_flag
20029:/system_mgr/samba/smb2_enable
20084:.smb_ads.xml
20213:./smbcom
20214:./smbcom -d
20215:./smbcv
20216:./smbcv -d
20217:/tmp/smb_ips
20221:/var/www/xml/smb.xml
20222:killall -HUP smbd
20264:/mnt/%s/.systemfile/.smb.xml
20265:/mnt/%s/.systemfile/.smbm.xml
20266:/tmp/.smbm.xml
20286:/mnt/%s/.systemfile/.smb_ads.xml
20308:/etc/samba/smb.conf
20309:smb stop >/dev/null 2>&1
20311:smb start >/dev/null 2>&1
20563:passdb backend = smbpasswd
20604:smb2 leases = yes
20614:max protocol = SMB2
20622:max protocol = SMB3
20874:smb passwd file = /etc/samba/smbpasswd
20952:/usr/bin/smbclient
20953:/usr/bin/smbclient not exist!
20965:/etc/NAS_CFG/smbdfs.xml
20968:/etc/NAS_CFG/smbdfs_group.xml
20998:smbcv -x; smbcv; smbcom -v
21017:[smbcmd %s]
21020:[smbcmd -r|-s (run or stop) ]
21034:  smbcmd - samba command  [%s]
21041:  smbcmd [-h] to show detail

/usr/local/modules/usrsbin/smbcv

# grep -inr "smb" /usr/local/modules/usrsbin/smbcv
3845:SMB_VOL_NAME
3849:smb_dbg_flag
19647:/system_mgr/samba/smb2_enable
19702:.smb_ads.xml
19831:./smbcom
19832:./smbcom -d
19833:smbcom -v
19834:./smbcv
19835:./smbcv -d
19839:/var/www/xml/smb.xml
19840:killall -HUP smbd
19882:/mnt/%s/.systemfile/.smb.xml
19883:/mnt/%s/.systemfile/.smbm.xml
19884:/tmp/.smbm.xml
19907:/mnt/%s/.systemfile/.smb_ads.xml
19929:smb stop >/dev/null 2>&1
19931:smb start >/dev/null 2>&1
20179:passdb backend = smbpasswd
20220:smb2 leases = yes
20230:max protocol = SMB2
20238:max protocol = SMB3
20493:smb passwd file = /etc/samba/smbpasswd
20571:/usr/bin/smbclient
20572:/usr/bin/smbclient not exist!
20584:/etc/NAS_CFG/smbdfs.xml
20587:/etc/NAS_CFG/smbdfs_group.xml
20596:touch /tmp/smb_ips
20600:[smbcv %s]
20603:cat /etc/samba/smb.conf
20608:/mnt/HD_%c4/.systemfile/.smb.xml
20616:/mnt/HD_%c4/.systemfile/.smb_ads.xml
20620:/mnt/HD_%c4/.systemfile/.smbm.xml
20627:/mnt/HD_a4/.systemfile/.smb.ses
20628:/mnt/HD_b4/.systemfile/.smb.ses
20629:/mnt/HD_c4/.systemfile/.smb.ses
20630:/mnt/HD_d4/.systemfile/.smb.ses
20631:cat /mnt/HD_a4/.systemfile/.smb.xml 2> /dev/null
20639:cat /mnt/HD_b4/.systemfile/.smb.xml 2> /dev/null
20647:cat /mnt/HD_c4/.systemfile/.smb.xml 2> /dev/null
20655:cat /mnt/HD_d4/.systemfile/.smb.xml 2> /dev/null
20663:cat /mnt/HD_a4/.systemfile/.smb_ads.xml 2> /dev/null
20667:cat /mnt/HD_b4/.systemfile/.smb_ads.xml 2> /dev/null
20671:cat /mnt/HD_c4/.systemfile/.smb_ads.xml 2> /dev/null
20675:cat /mnt/HD_d4/.systemfile/.smb_ads.xml 2> /dev/null

Long story short, I was eventually able to determine that smbcom and smbcv are both used to create and/or alter a hidden smbm.xml file, which is in fact the true source of information used to generate the /etc/samba/smb.conf file. Information originally contained in the example below has been removed for privacy and shortened for brevity, where an <item></item> section exists for each share.

# cat /mnt/HD_a4/./.systemfile/.smbm.xml
<?xml version="1.0" encoding="UTF-8"?>
<config>
  <samba>
    <count>1</count>
    <item>
      <volume_raid></volume_raid>
      <hd_serial></hd_serial>
      <name>Public</name>
      <comment></comment>
      <path>/mnt/HD/HD_a2/Public</path>
      <browseable></browseable>
      <public></public>
      <oplocks>yes</oplocks>
      <map_archive></map_archive>
      <read_list></read_list>
      <write_list></write_list>
      <invalid_users></invalid_users>
      <recycle_enable></recycle_enable>
      <recycle_tree></recycle_tree>
      <web_public></web_public>
      <media_flag></media_flag>
      <available></available>
      <remote_access></remote_access>
      <target_path></target_path>
      <share_access_locked></share_access_locked>
      <ftp_enable></ftp_enable>
      <ftp_anonymous></ftp_anonymous>
      <nfs_enable></nfs_enable>
      <nfs_host></nfs_host>
      <uid></uid>
    </item>
  </samba>
</config>

I was able to verify that the hidden smbm.xml file is the true source of information by directly editing the file and changing <oplocks>yes</oplocks> to <oplocks>no</oplocks>. Afterwards, I went to the dashboard and changed the Max SMB Protocol setting, which I knew would trigger a change to the /etc/samba/smb.conf file. I then went to the Public share, and sure enough, Oplocks was now off, exactly as predicted.

As for the Max SMB Protocol setting itself, the cgi_smb2 command and smb2enable values processed by the system_mgr.cgi program originate from the <smb2_enable></smb2_enable> value within the <samba></samba> section of the config.xml file. A value of 0 is SMBv3, a value of 1 is SMBv2, and a value of 3 is SMBv1.

<samba>
	<enable>1</enable>
	<workgroup>WORKGROUP</workgroup>
	<netbios_name>PR4100</netbios_name>
	<server_string>My Cloud Pro Series 4-Bay NAS</server_string>
	<lmb>0</lmb>
	<dfs_enable>0</dfs_enable>
	<ads_enable>0</ads_enable>
	<ads_workgroup></ads_workgroup>
	<ads_username></ads_username>
	<ads_password></ads_password>
	<ads_realm></ads_realm>
	<ads_pwd_server></ads_pwd_server>
	<smb2_enable>0</smb2_enable>
</samba>

Lastly, the smbcom compiled binary file has a secret debug option, most WD programs do, which was also very helpful. This revealed that a hidden smbm.xml file exists on a hidden system partition on each installed hard drive, and the dreaded ganalytics rears it’s ugly head again. As before, information in the example below has been altered or removed for privacy.

# smbcom -d
[smbcom v3.00.20140429]
OPEN DEBUG MODE!!
##hd device name from sda ~ sdp
        hd_device_name 0 = sda
        hd_device_name 1 = sdb
        hd_device_name 2 = sdc
        hd_device_name 3 = sdd

HD hd_exist = [1]
HD hd_exist= [1]
HD hd_exist = [1]
HD hd_exist = [1]
HD scsi0 = [XXXXXXXXXXXX]
HD scsi1= [XXXXXXXXXXXX]
HD scsi2 = [XXXXXXXXXXXX]
HD scsi3 = [XXXXXXXXXXXX]
volume number = 4
hd number     = 4

Volume_1 raid type [1]
Volume_1 raid uuid []
Volume_1 comp str  [XXXXXXXXXXXX]
Volume_1 which hd  [0][sda]
Volume_1 hidden in [/mnt/HD_a4]
Volume_2 raid type [1]
Volume_2 raid uuid []
Volume_2 comp str  [XXXXXXXXXXXX]
Volume_2 which hd  [1][sdb]
Volume_2 hidden in [/mnt/HD_b4]
Volume_3 raid type [1]
Volume_3 raid uuid []
Volume_3 comp str  [XXXXXXXXXXXX]
Volume_3 which hd  [2][sdc]
Volume_3 hidden in [/mnt/HD_c4]
Volume_4 raid type [1]
Volume_4 raid uuid []
Volume_4 comp str  [XXXXXXXXXXXX]
Volume_4 which hd  [3][sdd]
Volume_4 hidden in [/mnt/HD_d4]

share name HD_a2=[Volume_1]
share name HD_b2=[Volume_2]
share name HD_c2=[Volume_3]
share name HD_d2=[Volume_4]
##read_HD_xml: read xml path = /mnt/HD_a4/.systemfile/.smbm.xml
##read_HD_xml: read xml path = /mnt/HD_b4/.systemfile/.smbm.xml
##read_HD_xml: read xml path = /mnt/HD_c4/.systemfile/.smbm.xml
##read_HD_xml: read xml path = /mnt/HD_d4/.systemfile/.smbm.xml
afp nfs state is [0][0]

share_num is 5
public_en_num is 1
recyclebin_en_num is 4
media_en_num is 0
oplock_en_num is 5
ftp_en_num is 0
==>[ganalytics --shares-num 5 &]
==>[ganalytics --public-shares-num 1 &]
==>[ganalytics --recyclebin-shares-num 4 &]
==>[ganalytics --media-shares-num 0 &]
==>[ganalytics --oplock-shares-num 5 &]
==>[ganalytics --ftp-shares-num 0 &]

Like I said previously, it’s complicated…


#312

My PR4100 is running the latest firmware version 2.30.196 (09/21/2018). However, when I performed a network security scan, this was the result.

nmap -p 445 --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version xxx.xxx.x.xxx
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-26 13:21 Eastern Daylight Time
Nmap scan report for PR4100 (xxx.xxx.x.xxx)
Host is up (0.00s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: XX:XX:XX:XX:XX:XX (Western Digital Technologies)
Host script results:
| smb-vuln-cve-2017-7494: 
|   VULNERABLE:
|   SAMBA Remote Code Execution from Writable Share
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2017-7494
|     Risk factor: HIGH  CVSSv3: 7.5 (HIGH) (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
|       All versions of Samba from 3.5.0 onwards are vulnerable to a remote
|       code execution vulnerability, allowing a malicious client to upload a
|       shared library to a writable share, and then cause the server to load
|       and execute it.
|     Disclosure date: 2017-05-24
|     Check results:
|       Samba Version: 4.3.11
|     References:
|       https://www.samba.org/samba/security/CVE-2017-7494.html
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494
Nmap done: 1 IP address (1 host up) scanned in 5.30 seconds

The vulnerability mentioned in CVE-2017-7494 was supposed to have been fixed in firmware version 2.30.172 (11/16/2017), but when I checked the Samba (smbd) version running on my PR4100, it’s definitely one (Samba: 4.3.11) that is vulnerable. A workaround is to add nt pipe support = no to the [ global ] section of the smb.conf file, yet no such line is present.

[ global ]
netbios name = PR4100
server string = My Cloud Pro Series 4-Bay NAS
veto files = /:2eDS_Store/.bin/Network Trash Folder/.systemfile/lost+found/Nas_Prog/mirrored/uploaded/.wdmc/.AppleDouble/
workgroup = WORKGROUP
security = user
passdb backend = smbpasswd
ldap ssl = no
local master = no
os level = 0
preferred master = no
smb2 leases = yes
fruit:copyfile= yes
printing = bsd
printcap name = /dev/null
disable spoolss = yes
max protocol = SMB3
max xmit = 131072
max log size = 10
log level = 0
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=4096000 SO_SNDBUF=4096000
delete veto files = yes
unix charset = UTF8
encrypt passwords = yes
map to guest = bad user
null passwords = yes
guest account = nobody
dns proxy = no
use mmap = yes
use spnego = yes
disable netbios = no
strict allocate = yes
csc policy = disable
min receivefile size = 16k
allocation roundup size = 0
create mask = 0777
directory mask  = 0777
force create mode = 0777
force directory mode = 0777
use sendfile = yes
smb passwd file = /etc/samba/smbpasswd
disable spoolss = yes
nt acl support = yes
acl map full control = yes
load printers = no
unix extensions = no
follow symlinks = yes
wide links = yes
printable = no
include = /etc/samba/tm_config.conf

WD claims that CVE-2017-7494 has been patched, yet everything I’m seeing says otherwise. Has it been patched or not? If so, exactly what was done to patch it?

My Cloud Pro Series PR4100 Firmware Release

Firmware Version 2.30.172 (11/16/2017)

Resolved Issues:

Resolved SMB server (samba) security vulnerability (CVE-2017-7494) - Malicious clients can upload and cause the SMB server to execute a shared library from a writable share.

Resolved critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass.

Improved Cloud Access connectivity from the device.

#314

WD: /lib/libc-2.19.so

GNU C Library (crosstool-NG hg+unknown-20140427.163636 - Build-wd-00.01c) stable release version 2.19, by Roland McGrath et al.
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 4.8.2.
Compiled on a Linux 2.6.39 system on 2014-04-27.
Available extensions:
        crypt add-on version 2.1 by Michael Glad and others
        Native POSIX Threads Library by Ulrich Drepper et al
        BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<john.overton@wdc.com>.

Entware: /opt/lib/libc-2.27.so

GNU C Library (GNU libc) stable release version 2.27.
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 7.3.0.
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<http://www.gnu.org/software/libc/bugs.html>.

#315

Sometimes you get issues with downloaded binaries complaining about the outdated libc.
You may use patchelf to get around this problem. Example


#316

@dswv42
I’ll only stop reading when you stop writing in this thread.
Fascinating reading your observations.
Get this pkged up with updated modules, samba, ssh dashboard etc, and I may just pick up a PR4100, compile your sources with updated configs and go with your improved version. Been burnt too bad with the EX2 / EX2 Ultra, so I’m heavily favouring the competition right now.


#317

I appreciate the sentiments, and there is much more to come… as time permits.

The original WD firmware has far too many problems, so I’ve largely abandoned the idea of fixing it, aside from studying how certain parts of it function. Currently I’m in the process of creating an x86_64-intel-linux-gnu toolchain, which literally everything (even the kernel) depends upon, but it’s a tedious process that requires lots of testing to ensure that it works properly. In time, the toolchain will serve as the foundation for a completely new firmware build, with updated packages, a new UI, etc…


#319

All custom PR4100 toolchain tests have been a complete success, but I only began making real progress after I abandoned trying to build on the PR4100 using Entware running on the factory firmware. Frankly, the PR4100 environment is a disaster, even with Entware, which has it’s own issues.

With a fully functional 64-bit cross toolchain and an updated Linux kernel completed, I’ve begun to focus on the arduous task of configuring and building packages, which would be made exponentially easier if Linux programmers would take the time to document dependencies.


#320

New Release - My Cloud Firmware Versions 2.31.149 (10/19/18)


#321

The Linux kernel version (4.1.13) is unchanged, so I’d like to know exactly how WD mitigated the Dirty Cow vulnerability (CVE-2016-5195) as noted in the release notes. Curiously, the Linux kernel version string has changed, so it appears as if it has been recently recompiled.

Linux PR4100 4.1.13 #1 SMP Fri Aug 17 16:30:29 CST 2018 Build-git435df54 x86_64 GNU/Linux

Also, I was hoping to see a Samba version upgrade, but the vulnerable smbd version (4.3.11) remains. Otherwise, I found the following root filesystem changes, as compared with firmware version 2.30.196.

Existing files changed in image.cfs version 2.31.149.

\cgi\account_mgr.cgi
\cgi\codepage_mgr.cgi
\cgi\folder_tree.cgi
\cgi\home_mgr.cgi
\cgi\iscsi_mgr.cgi
\cgi\isomount_mgr.cgi
\cgi\login_mgr.cgi
\cgi\network_mgr.cgi
\cgi\share.cgi
\cgi\snmp_mgr.cgi
\cgi\status_mgr.cgi
\cgi\system_mgr.cgi
\cgi\usb_device.cgi
\cgi\webdav_mgr.cgi
\cgi\webfile_mgr.cgi
\lib\apache_modules\libphp5.so
\lib\apache_modules\mod_access_compat.so
\lib\apache_modules\mod_actions.so
\lib\apache_modules\mod_alias.so
\lib\apache_modules\mod_allowmethods.so
\lib\apache_modules\mod_asis.so
\lib\apache_modules\mod_auth_basic.so
\lib\apache_modules\mod_auth_digest.so
\lib\apache_modules\mod_auth_form.so
\lib\apache_modules\mod_auth_token.so
\lib\apache_modules\mod_authn_anon.so
\lib\apache_modules\mod_authn_core.so
\lib\apache_modules\mod_authn_dbd.so
\lib\apache_modules\mod_authn_dbm.so
\lib\apache_modules\mod_authn_file.so
\lib\apache_modules\mod_authn_socache.so
\lib\apache_modules\mod_authz_core.so
\lib\apache_modules\mod_authz_dbd.so
\lib\apache_modules\mod_authz_dbm.so
\lib\apache_modules\mod_authz_groupfile.so
\lib\apache_modules\mod_authz_host.so
\lib\apache_modules\mod_authz_owner.so
\lib\apache_modules\mod_authz_user.so
\lib\apache_modules\mod_autoindex.so
\lib\apache_modules\mod_buffer.so
\lib\apache_modules\mod_cache.so
\lib\apache_modules\mod_cache_disk.so
\lib\apache_modules\mod_cache_socache.so
\lib\apache_modules\mod_cgi.so
\lib\apache_modules\mod_charset_lite.so
\lib\apache_modules\mod_data.so
\lib\apache_modules\mod_dav.so
\lib\apache_modules\mod_dav_fs.so
\lib\apache_modules\mod_dav_lock.so
\lib\apache_modules\mod_dbd.so
\lib\apache_modules\mod_deflate.so
\lib\apache_modules\mod_dialup.so
\lib\apache_modules\mod_dir.so
\lib\apache_modules\mod_dumpio.so
\lib\apache_modules\mod_echo.so
\lib\apache_modules\mod_env.so
\lib\apache_modules\mod_expires.so
\lib\apache_modules\mod_ext_filter.so
\lib\apache_modules\mod_file_cache.so
\lib\apache_modules\mod_filter.so
\lib\apache_modules\mod_flvx.so
\lib\apache_modules\mod_headers.so
\lib\apache_modules\mod_heartbeat.so
\lib\apache_modules\mod_heartmonitor.so
\lib\apache_modules\mod_include.so
\lib\apache_modules\mod_info.so
\lib\apache_modules\mod_lbmethod_bybusyness.so
\lib\apache_modules\mod_lbmethod_byrequests.so
\lib\apache_modules\mod_lbmethod_bytraffic.so
\lib\apache_modules\mod_lbmethod_heartbeat.so
\lib\apache_modules\mod_log_config.so
\lib\apache_modules\mod_log_debug.so
\lib\apache_modules\mod_log_forensic.so
\lib\apache_modules\mod_logio.so
\lib\apache_modules\mod_macro.so
\lib\apache_modules\mod_mime.so
\lib\apache_modules\mod_mime_magic.so
\lib\apache_modules\mod_negotiation.so
\lib\apache_modules\mod_proxy.so
\lib\apache_modules\mod_proxy_ajp.so
\lib\apache_modules\mod_proxy_balancer.so
\lib\apache_modules\mod_proxy_connect.so
\lib\apache_modules\mod_proxy_express.so
\lib\apache_modules\mod_proxy_fcgi.so
\lib\apache_modules\mod_proxy_fdpass.so
\lib\apache_modules\mod_proxy_ftp.so
\lib\apache_modules\mod_proxy_http.so
\lib\apache_modules\mod_proxy_scgi.so
\lib\apache_modules\mod_proxy_wstunnel.so
\lib\apache_modules\mod_ratelimit.so
\lib\apache_modules\mod_reflector.so
\lib\apache_modules\mod_remoteip.so
\lib\apache_modules\mod_reqtimeout.so
\lib\apache_modules\mod_request.so
\lib\apache_modules\mod_rewrite.so
\lib\apache_modules\mod_sed.so
\lib\apache_modules\mod_session.so
\lib\apache_modules\mod_session_cookie.so
\lib\apache_modules\mod_session_dbd.so
\lib\apache_modules\mod_setenvif.so
\lib\apache_modules\mod_slotmem_plain.so
\lib\apache_modules\mod_slotmem_shm.so
\lib\apache_modules\mod_socache_dbm.so
\lib\apache_modules\mod_socache_memcache.so
\lib\apache_modules\mod_socache_shmcb.so
\lib\apache_modules\mod_speling.so
\lib\apache_modules\mod_ssl.so
\lib\apache_modules\mod_status.so
\lib\apache_modules\mod_substitute.so
\lib\apache_modules\mod_unique_id.so
\lib\apache_modules\mod_unixd.so
\lib\apache_modules\mod_userdir.so
\lib\apache_modules\mod_usertrack.so
\lib\apache_modules\mod_version.so
\lib\apache_modules\mod_vhost_alias.so
\lib\apache_modules\mod_watchdog.so
\lib\apache_modules\mod_xsendfile.so
\lib\php_extension\apc.so
\lib\php_extension\xdebug.so
\lib\libcrypto.so.1.0.0
\lib\libixml.so.2
\lib\liblber-2.4.so.2.10.2
\lib\libldap-2.4.so.2.10.2
\lib\libpython2.7.so.1.0
\lib\libsmbd-base-samba4.so
\lib\libssl.so.1.0.0
\localwdmcserver\bin\extractors\libwdmcexifplugin.so.0.1.0
\localwdmcserver\bin\extractors\libwdmcffmpegplugin.so.0.1.0
\localwdmcserver\bin\transcoders\libwdmcimagemagickplugin.so.0.1.0
\localwdmcserver\bin\avconv
\localwdmcserver\bin\wdmcserver
\localwdmcserver\lib\libboost_exception.a
\localwdmcserver\lib\libboost_test_exec_monitor.a
\localwdmcserver\lib\libffi.a
\localwdmcserver\lib\libffi_convenience.a
\localwdmcserver\lib\liblcms2.a
\localwdmcserver\lib\libMagickCore.so.5.0.0
\localwdmcserver\lib\libz.a
\sbin\htpasswd
\sbin\httpd
\sbin\openssl
\sbin\rsync
\sbin\sshd
\usrlib\xtables\libip6t_HL.so
\usrlib\xtables\libipt_TTL.so
\usrlib\xtables\libxt_DSCP.so
\usrlib\xtables\libxt_MARK.so
\usrlib\xtables\libxt_RATEEST.so
\usrlib\xtables\libxt_SET.so
\usrlib\xtables\libxt_TCPMSS.so
\usrlib\xtables\libxt_TOS.so
\usrlib\libaccount.so
\usrlib\libalpha_common.so
\usrlib\libdm.so
\usrlib\libftp.so
\usrlib\libiso_creator.so
\usrlib\libisomount.so
\usrlib\libquota.so
\usrlib\libscheddl.so
\usrlib\libshare.so
\usrlib\libsmbif.so
\usrsbin\account
\usrsbin\diskmgr
\usrsbin\do_reboot
\usrsbin\e2igrow
\usrsbin\ftp
\usrsbin\ftp_download
\usrsbin\hdVerify
\usrsbin\internal_backup
\usrsbin\iscsictl
\usrsbin\isnsctl
\usrsbin\iso_mount
\usrsbin\lighty_ssl
\usrsbin\network
\usrsbin\newp2p
\usrsbin\p2p_send_mail
\usrsbin\prealloc
\usrsbin\rsyncmd
\usrsbin\rsyncom
\usrsbin\smbac
\usrsbin\smbcmd
\usrsbin\smbcom
\usrsbin\smbcv
\usrsbin\smbgp
\usrsbin\smbif
\usrsbin\smbwddb
\usrsbin\ssh_daemon
\usrsbin\updateHdState
\usrsbin\usb_backup
\usrsbin\vvctl
\usrsbin\wdappmgr
\bin\atopsar
\bin\iptables-xml
\lib\netatalk\uams_clrtxt.so
\lib\netatalk\uams_dhx.so
\lib\netatalk\uams_dhx2.so
\lib\libaio.so
\lib\libaio.so.1
\lib\libatalk.so
\lib\libatalk.so.6
\lib\libattr.so
\lib\libattr.so.1
\lib\libcom_err.so.3
\lib\libcrypto.so
\lib\libcurl.so
\lib\libcurl.so.4
\lib\libdevmapper.so
\lib\libexpat.so
\lib\libexpat.so.1
\lib\libfontconfig.so
\lib\libfontconfig.so.1
\lib\libgd.so
\lib\libgpg-error.so
\lib\libgpg-error.so.0
\lib\libgssapi_krb5.so.2
\lib\libhttpserver.so
\lib\libhttpserver.so.0
\lib\libk5crypto.so.3
\lib\libkrb5.so.3
\lib\libkrb5support.so.0
\lib\liblber-2.4.so.2
\lib\libldap-2.4.so.2
\lib\liblzo2.so
\lib\liblzo2.so.2
\lib\libmicrohttpd.so
\lib\libmicrohttpd.so.10
\lib\libncurses.so
\lib\libpam.so
\lib\libpam.so.0
\lib\libpng.so
\lib\libpng.so.3
\lib\libpng12.so
\lib\libpng12.so.0
\lib\libpopt.so
\lib\libpopt.so.0
\lib\libprocps.so
\lib\libprocps.so.1
\lib\libprocps.so.4
\lib\libpython2.7.so
\lib\libss.so
\lib\libss.so.2
\lib\libssl.so
\lib\libtag.so
\lib\libtag.so.1
\lib\libtag_c.so
\lib\libtag_c.so.0
\lib\libuuid.so
\lib\libuuid.so.1
\lib\libwdlog.so
\localwdmcserver\bin\extractors\libwdmcexifplugin.so
\localwdmcserver\bin\extractors\libwdmcexifplugin.so.0
\localwdmcserver\bin\extractors\libwdmcexifplugin.so.0.1
\localwdmcserver\bin\extractors\libwdmcffmpegplugin.so
\localwdmcserver\bin\extractors\libwdmcffmpegplugin.so.0
\localwdmcserver\bin\extractors\libwdmcffmpegplugin.so.0.1
\localwdmcserver\bin\extractors\libwdmctaglibplugin.so
\localwdmcserver\bin\extractors\libwdmctaglibplugin.so.0
\localwdmcserver\bin\extractors\libwdmctaglibplugin.so.0.1
\localwdmcserver\bin\transcoders\libkthumb.so
\localwdmcserver\bin\transcoders\libkthumb.so.0
\localwdmcserver\bin\transcoders\libkthumb.so.0.1
\localwdmcserver\bin\transcoders\libwdmcimagemagickplugin.so
\localwdmcserver\bin\transcoders\libwdmcimagemagickplugin.so.0
\localwdmcserver\bin\transcoders\libwdmcimagemagickplugin.so.0.1
\localwdmcserver\bin\libwdmccore.so
\localwdmcserver\bin\libwdmccore.so.0
\localwdmcserver\bin\libwdmccore.so.0.1
\localwdmcserver\bin\libwdmcdb.so
\localwdmcserver\bin\libwdmcdb.so.0
\localwdmcserver\bin\libwdmcdb.so.0.1
\localwdmcserver\bin\libwdmcutil.so
\localwdmcserver\bin\libwdmcutil.so.0
\localwdmcserver\bin\libwdmcutil.so.0.1
\localwdmcserver\lib\libavcodec.so
\localwdmcserver\lib\libavcodec.so.53
\localwdmcserver\lib\libavdevice.so
\localwdmcserver\lib\libavdevice.so.53
\localwdmcserver\lib\libavfilter.so
\localwdmcserver\lib\libavfilter.so.2
\localwdmcserver\lib\libavformat.so
\localwdmcserver\lib\libavformat.so.53
\localwdmcserver\lib\libavutil.so
\localwdmcserver\lib\libavutil.so.51
\localwdmcserver\lib\libboost_atomic.so
\localwdmcserver\lib\libboost_chrono.so
\localwdmcserver\lib\libboost_container.so
\localwdmcserver\lib\libboost_context.so
\localwdmcserver\lib\libboost_coroutine.so
\localwdmcserver\lib\libboost_date_time.so
\localwdmcserver\lib\libboost_filesystem.so
\localwdmcserver\lib\libboost_locale.so
\localwdmcserver\lib\libboost_log.so
\localwdmcserver\lib\libboost_log_setup.so
\localwdmcserver\lib\libboost_prg_exec_monitor.so
\localwdmcserver\lib\libboost_program_options.so
\localwdmcserver\lib\libboost_random.so
\localwdmcserver\lib\libboost_regex.so
\localwdmcserver\lib\libboost_serialization.so
\localwdmcserver\lib\libboost_signals.so
\localwdmcserver\lib\libboost_system.so
\localwdmcserver\lib\libboost_thread.so
\localwdmcserver\lib\libboost_timer.so
\localwdmcserver\lib\libboost_unit_test_framework.so
\localwdmcserver\lib\libboost_wserialization.so
\localwdmcserver\lib\libexif.so
\localwdmcserver\lib\libexif.so.12
\localwdmcserver\lib\libgio-2.0.so
\localwdmcserver\lib\libgio-2.0.so.0
\localwdmcserver\lib\libglib-2.0.so
\localwdmcserver\lib\libglib-2.0.so.0
\localwdmcserver\lib\libgmodule-2.0.so
\localwdmcserver\lib\libgmodule-2.0.so.0
\localwdmcserver\lib\libgobject-2.0.so
\localwdmcserver\lib\libgobject-2.0.so.0
\localwdmcserver\lib\libgthread-2.0.so
\localwdmcserver\lib\libgthread-2.0.so.0
\localwdmcserver\lib\libjpeg.so
\localwdmcserver\lib\libjpeg.so.62
\localwdmcserver\lib\liblcms2.so
\localwdmcserver\lib\liblcms2.so.2
\localwdmcserver\lib\libMagickCore.so
\localwdmcserver\lib\libMagickCore.so.5
\localwdmcserver\lib\libMagickWand.so
\localwdmcserver\lib\libMagickWand.so.5
\localwdmcserver\lib\libpng.so
\localwdmcserver\lib\libpng16.so
\localwdmcserver\lib\libpng16.so.16
\localwdmcserver\lib\libsqlite3.so
\localwdmcserver\lib\libsqlite3.so.0
\localwdmcserver\lib\libswscale.so
\localwdmcserver\lib\libswscale.so.2
\localwdmcserver\lib\libtag.so
\localwdmcserver\lib\libtag.so.1
\localwdmcserver\lib\libtag_c.so
\localwdmcserver\lib\libtag_c.so.0
\localwdmcserver\lib\libtiff.so
\localwdmcserver\lib\libtiff.so.5
\localwdmcserver\lib\libtiffxx.so
\localwdmcserver\lib\libtiffxx.so.5
\localwdmcserver\lib\libwdlog.so
\localwdmcserver\lib\libxerces-c.so
\localwdmcserver\lib\libz.so
\localwdmcserver\lib\libz.so.1
\opt\wd\lib\boost\libboost_filesystem.so
\opt\wd\lib\boost\libboost_regex.so
\opt\wd\lib\boost\libboost_system.so
\opt\wd\lib\boost\libboost_thread.so
\opt\wd\lib\liblcd_management.so
\opt\wd\lib\libredhawk_button_monitor.so
\opt\wd\lib\libredhawk_hwlib_temperature_source.so
\opt\wd\lib\libredhawk_lcd_control.so
\opt\wd\lib\libredhawk_query_power_supply_state.so
\opt\wd\lib\libsprite_alert_interface.so
\opt\wd\lib\libsprite_button_monitor.so
\opt\wd\lib\libsprite_command_alert_interface.so
\opt\wd\lib\libsprite_drive_temperature_source.so
\opt\wd\lib\libsprite_hwlib_fan_controller.so
\opt\wd\lib\libsprite_lcd_control.so
\opt\wd\lib\libsprite_syslog_alert_interface.so
\opt\wd\lib\libstargate_query_power_supply_state.so
\opt\wd\lib\libthermal_management.so
\opt\wd\lib\libthermal_service.so
\opt\wd\lib\libwdhw.so
\sbin\dosfslabel
\sbin\elephantdriveDaemon
\sbin\mkdosfs
\sbin\mkfs.msdos
\sbin\mkfs.vfat
\usrlib\libip4tc.so
\usrlib\libip4tc.so.0
\usrlib\libip6tc.so
\usrlib\libip6tc.so.0
\usrlib\libiptc.so
\usrlib\libiptc.so.0
\usrlib\libxtables.so
\usrlib\libxtables.so.10
\usrsbin\ip6tables
\usrsbin\ip6tables-restore
\usrsbin\ip6tables-save
\usrsbin\iptables
\usrsbin\iptables-restore
\usrsbin\iptables-save
\usrsbin\up_send_ctl
\usrsbin\up_send_init_info
\default\config.xml
\lib\apache_modules\httpd.exp
\localorion\openvpnclient\client.ovpn.tpl
\localwdmcserver\bin\mime_types.txt
\localwdmcserver\bin\plugins.xml
\localwdmcserver\lib\ImageMagick-6.7.9\config\configure.xml
\localwdmcserver\lib\libpng.la
\rest-api\api\Auth\src\Auth\Controller\LocalLogin.php
\rest-api\api\Auth\src\Auth\User\Linux\UserManagerImpl.php
\rest-api\api\Core\src\Core\NasController.php
\rest-api\api\DlnaServer\src\DlnaServer\Model\DlnaServer.php
\rest-api\api\Filesystem\includes\transcoding.inc
\rest-api\api\Metadata\includes\db_info.inc
\rest-api\api\Metadata\includes\db_info_definitions.inc
\rest-api\api\Metadata\src\Metadata\Controller\MetaDbInfo.php
\rest-api\api\System\includes\NetworkWorkgroup.php
\rest-api\api\System\src\System\DateTime\Model\Configuration.php
\rest-api\api\TimeMachine\src\TimeMachine\Controller\TimeMachine.php
\rest-api\api\Usb\src\Usb\Controller\UsbDrive.php
\rest-api\api\Version\src\Version\ComponentVersion\build-number
\rest-api\api\Wifi\src\Wifi\Controller\CurrentWifiClientConnection.php
\rest-api\api\Wifi\src\Wifi\Controller\WifiClientAccessPoints.php
\script\system_init
\web\apache2\conf\mods-enabled\headers.conf
\web\apache2\conf\mods-enabled\rewrite.conf
\web\config\default_php.ini
\web\pages\addons\ftp_download.php
\web\pages\addons\jqueryFileTree.php
\web\pages\addons\safepoints_api.php
\web\pages\addons\web_file_server.html
\web\pages\addons\web_file_server_main.html
\web\pages\backups\elephant_drive.php
\web\pages\backups\internal_backup.php
\web\pages\backups\usb_backup.php
\web\pages\dsdk\DsdkProxy.php
\web\pages\function\abgne-minwt_selectmenu.js
\web\pages\function\batch_user.js
\web\pages\function\device.js
\web\pages\function\eula.js
\web\pages\function\groups.js
\web\pages\function\hd_ve.js
\web\pages\function\ipv6Diag.js
\web\pages\function\raid_create_diag.js
\web\pages\function\remote.js
\web\pages\function\snmp_v3.js
\web\pages\function\system.js
\web\pages\function\web_file_server_command.js
\web\pages\function\web_idle_timeout.js
\web\pages\jquery\ajaxfileupload\ajaxfileupload.js
\web\pages\jquery\jScrollPane\style\jquery.jscrollpane.css
\web\pages\jquery\uploader\uploadify.php
\web\pages\lib\login_checker.php
\web\pages\myHome\web_file_server.html
\web\pages\php\chk_vv_sharename.php
\web\pages\php\getADInfo.php
\web\pages\php\getLDAPInfo.php
\web\pages\php\improvement.php
\web\pages\php\modUserName.php
\web\pages\php\noHDD.php
\web\pages\php\phpWD.php
\web\pages\php\remoteBackups.php
\web\pages\php\sendLogToSupport.php
\web\pages\setting\diagnostics.html
\web\pages\setting\firmware_result.html
\web\pages\setting\snmpDiag.html
\web\pages\setting\upload.html
\web\pages\storage\hd_ve.html
\web\pages\storage\raid_cgi.php
\web\pages\users\groupDiag.html
\web\pages\users\groups.html
\web\pages\users\users.html
\web\pages\users\usersDiag.html
\web\pages\eula.php
\web\pages\google_analytics.php
\web\pages\home.php
\web\pages\index.php
\web\pages\myhome.php
\web\pages\noHDD.php
\web\pages\supportDiag.html

New files added to image.cfs version 2.31.149.

\lib\apache_modules\mod_proxy_hcheck.so
\lib\apache_modules\mod_proxy_html.so
\lib\apache_modules\mod_proxy_uwsgi.so
\lib\apache_modules\mod_xml2enc.so
\lib\php_extension\pam.so
\lib\libapr-1.so
\lib\libapr-1.so.0
\lib\libapr-1.so.0.6.3
\lib\libaprutil-1.so
\lib\libaprutil-1.so.0
\lib\libaprutil-1.so.0.6.1
\lib\libthreadutil.so.6
\lib\libupnp.so.6
\usrlib\xtables\libip6t_hl.so
\usrlib\xtables\libipt_ttl.so
\usrlib\xtables\libxt_CONNMARK.so
\usrlib\xtables\libxt_dscp.so
\usrlib\xtables\libxt_mark.so
\usrlib\xtables\libxt_rateest.so
\usrlib\xtables\libxt_set.so
\usrlib\xtables\libxt_tcpmss.so
\usrlib\xtables\libxt_tos.so
\usrsbin\send_log
\web\pages\jquery\js\jquery-3.3.1.min.js
\web\pages\jquery\js\jquery-migrate-1.4.1.min.js
\web\pages\php\sdownload.php
\web\pages\cgi_api.php

New files were also added to image.cfs version 2.31.149 in the following paths, but there are far too many files to list.

\perl5\lib\
\perl5\share\
\web\pages\WebHelp\

For those who are interested, I have neither the time nor the inclination to check all changes, so this will have to do.


#322

I’ve contacted WD about this and they’ve applied this patch in the firmware release, you’ll find it in the samba source code in Open_Source_packages.
I’ve tested it myself with this and I can confirm it’s closed.
Note that the version number remained the same, which is why your security test complains about the samba version.

GPL packages for the new release usually come within a week.


#323

Finally, something more concrete than the vague WD release notes, which often leave much to be desired. In this case, they could have easily noted that the patch had been applied and provided a link to the patch as you did in your reply.

Actually, I’ve noticed that it typically takes a minimum of a month for the GPL firmware source code to be released, and in most cases much longer. For example, here is a list of all PR4100 firmware bin file releases to date, where the first three are still awaiting a GPL firmware source code release. And for whatever reason… the GPL firmware source code for firmware version 2.30.172 has never been released, which also happens to be the same version where the SMB server (Samba) security vulnerability (CVE-2017-7494) was addressed.

My_Cloud_PR4100_2.31.149.bin (GPL Not Released)
My_Cloud_PR4100_2.30.196.bin (GPL Not Released)
My_Cloud_PR4100_2.30.195.bin (GPL Not Released)
My_Cloud_PR4100_2.30.193.bin
My_Cloud_PR4100_2.30.181.bin
My_Cloud_PR4100_2.30.172.bin (GPL Not Released)
My_Cloud_PR4100_2.30.165.bin
My_Cloud_PR4100_2.21.126.bin
My_Cloud_PR4100_2.21.119.bin
My_Cloud_PR4100_2.21.111.bin
My_Cloud_PR4100_2.20.202.bin

For comparison, here is a list of all PR4100 GPL firmware source code releases to date, where the last PR4100 release (2.30.193) is dated (5/02/2018) more than 6 months ago.

WDMyCloud_PR4100_GPL_v2.30.193_20180502.tar.gz
WDMyCloud_PR4100_GPL_v2.30.181_20180110.tar.gz
WDMyCloud_PR4100_GPL_v2.30.165_20170321.tar.gz
WDMyCloud_PR4100_GPL_v2.21.126_20161110.zip
WDMyCloud_PR4100_GPL_v2.21.119_20160901.tar.gz
WDMyCloud_PR4100_GPL_v2.21.111_20160629.tar.zip
WDMyCloud_PR4100_GPL_v2.20.202_20160512.tar.gz

Also, note the inconsistent archive file formats, which are a mixture of tar.gz, tar.zip and zip files.


#324

We’re working to release GPL for 2.31.149 ASAP!
Thanks for your patience