There seems to be a great deal of confusion as to what firmware versions may or may not be vulnerable, so here are steps any user can take to see for themselves. These steps will not show how to actually exploit any given vulnerability, only how to compare files and note any changes which may have taken place.
First, download and install 7-Zip for Windows, then download the appropriate firmware versions for comparison.
7-Zip for Windows:
My Cloud Gen 2 Firmware:
My Cloud PR4100 Firmware:
In this case, firmware versions
2.30.172 will be compared for both the single bay My Cloud Gen 2 and the quad bay My Cloud PR4100. These models represent each end of the spectrum, thus giving a good basis for comparison. Other models and firmware versions may also be compared using the steps outlied below.
After downloading and installing 7-Zip for Windows, navigate to the downloaded firmware bin file for any given firmware image, then right click on the file and navigate to
"7-Zip / Open Archive / #". This causes 7-Zip to open files using a special parsing mode, thus it attempts to distinguish individual files based on their type.
A list of compressed files should be shown. Double click on the
6.squashfs file to open it using 7-Zip. This is the firmware
image.cfs file without the header, which is contained in the
5 file just above it.
A different list of folders and files should be shown. These are the basis for much of the firmware root filesystem, which is reloaded after every reboot. In this case, the vulnerable
multi_uploadify.php file will be used as a basis for comparison, but other vulnerable files may be compared using a similar method, except that the paths may vary.
Navigate by double clicking folders until the correct path is displayed in the 7-Zip address bar, located just above the file list window.
Right click on the
multi_uploadify.php file and click “Edit” to open it in a text editor, then select all text and copy it to the clipboard.
Open a web browser and visit the Diff Checker website, located at the following URL. Alternatively, one may use a different diff checker if they wish.
To keep things simple, it’s best to open the
multi_uploadify.php file from the single bay My Cloud Gen 2 firmware version 2.30.165, then paste it’s contents into the first (left) Diff Checker website window. The second (right) Diff Checker website window will be used to paste text to be compared against the original text. This will serve as the basis of comparison for all subsequent firmware versions one wishes to check.
My_Cloud_GLCR_2.30.165.bin <--> My_Cloud_GLCR_2.30.172.bin
My_Cloud_GLCR_2.30.165.bin <--> My_Cloud_PR4100_2.30.165.bin
My_Cloud_GLCR_2.30.165.bin <--> My_Cloud_PR4100_2.30.172.bin
My_Cloud_GLCR_2.30.165.bin <--> etc...
Note: This process only works for text files. Binary files must be extracted and compared using different methods.
As you can see, in virtually all firmware versions compared, regardless of the My Cloud model, the
multi_uploadify.php file is identical. Given the fact that the file has been tested and confirmed to be vulnerable on the My Cloud PR4100 running firmware version 2.30.172, it stands to reason that the file is very likely to be vulnerable on other models and firmware versions too.