My Cloud Vulnerability Comparison


#1

Recent My Cloud vulnerabilities were reported by GulfTech, as shown in their report linked below.

http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125

This case is particularly confusing because a number of products are listed as being vulnerable, yet available evidence seems to indicate that at least one reported vulnerability (backdoor) may not apply to all devices and/or firmware versions. To attempt to clear up some confusion, I downloaded and directly examined recent firmware bin files for various My Cloud models to see if vulnerable files are present.

DISCLAIMER: No attempt was made to reproduce and/or verify reported vulnerabilities, only that vulnerable files and/or code is present as reported. The following results are believed to be accurate, but mistakes can happen, so users should always perform their own verification regardless.

###########################################################################
#             WDMyCloud <= 2.30.165 Multiple Vulnerabilities              #
###########################################################################

Released Date: 2018-01-04
Last Modified: 2017-06-11
 Company Info: Western Digital
 Version Info: 
              Vulnerable
               MyCloud 
               MyCloudMirror 
               My Cloud Gen 2
               My Cloud PR2100
               My Cloud PR4100
               My Cloud EX2 Ultra
               My Cloud EX2
               My Cloud EX4
               My Cloud EX2100
               My Cloud EX4100
               My Cloud DL2100
               My Cloud DL4100

              Not Vulnerable
               MyCloud 04.X Series
               MyCloud 2.30.174

01 - Unrestricted file upload (CVE-2017-17560)

/usr/local/modules/web/pages/jquery/uploader/multi_uploadify.php

My Cloud Gen 2 - My_Cloud_GLCR_2.30.165.bin (vulnerable)
My Cloud Gen 2 - My_Cloud_GLCR_2.30.172.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.165.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.172.bin (vulnerable)
EX2 - My_Cloud_KC2A_2.11.168.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.165.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.174.bin (vulnerable)
EX4 - My_Cloud_LT4A_2.11.168.bin (vulnerable)
EX2100 - My_Cloud_EX2100_2.30.165.bin (vulnerable)
EX2100 - My_Cloud_EX2100_2.30.172.bin (vulnerable)
EX4100 - My_Cloud_EX4100_2.30.165.bin (vulnerable)
EX4100 - My_Cloud_EX4100_2.30.172.bin (vulnerable)
DL2100 - My_Cloud_DL2100_2.30.165.bin (vulnerable)
DL2100 - My_Cloud_DL2100_2.30.172.bin (vulnerable)
DL4100 - My_Cloud_DL4100_2.30.165.bin (vulnerable)
DL4100 - My_Cloud_DL4100_2.30.172.bin (vulnerable)
PR2100 - My_Cloud_PR2100_2.30.165.bin (vulnerable)
PR2100 - My_Cloud_PR2100_2.30.172.bin (vulnerable)
PR4100 - My_Cloud_PR4100_2.30.165.bin (vulnerable)
PR4100 - My_Cloud_PR4100_2.30.172.bin (vulnerable)

02 - Hard coded backdoor

/usr/local/modules/cgi/nas_sharing.cgi

My Cloud Gen 2 - My_Cloud_GLCR_2.30.165.bin (vulnerable)
My Cloud Gen 2 - My_Cloud_GLCR_2.30.172.bin (not vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.165.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.172.bin (not vulnerable)
EX2 - My_Cloud_KC2A_2.11.168.bin (not vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.165.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.174.bin (not vulnerable)
EX4 - My_Cloud_LT4A_2.11.168.bin (not vulnerable)
EX2100 - My_Cloud_EX2100_2.30.165.bin (vulnerable) <-- Not a Mistake
EX2100 - My_Cloud_EX2100_2.30.172.bin (not vulnerable)
EX4100 - My_Cloud_EX4100_2.30.165.bin (not vulnerable)
EX4100 - My_Cloud_EX4100_2.30.172.bin (not vulnerable)
DL2100 - My_Cloud_DL2100_2.30.165.bin (not vulnerable)
DL2100 - My_Cloud_DL2100_2.30.172.bin (not vulnerable)
DL4100 - My_Cloud_DL4100_2.30.165.bin (not vulnerable)
DL4100 - My_Cloud_DL4100_2.30.172.bin (not vulnerable)
PR2100 - My_Cloud_PR2100_2.30.165.bin (not vulnerable)
PR2100 - My_Cloud_PR2100_2.30.172.bin (not vulnerable)
PR4100 - My_Cloud_PR4100_2.30.165.bin (not vulnerable)
PR4100 - My_Cloud_PR4100_2.30.172.bin (not vulnerable)

03.1 - Cross site request forgery

/usr/local/modules/web/pages/dsdk/DsdkProxy.php

My Cloud Gen 2 - My_Cloud_GLCR_2.30.165.bin (vulnerable)
My Cloud Gen 2 - My_Cloud_GLCR_2.30.172.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.165.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.172.bin (vulnerable)
EX2 - My_Cloud_KC2A_2.11.168.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.165.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.174.bin (vulnerable)
EX4 - My_Cloud_LT4A_2.11.168.bin (vulnerable)
EX2100 - My_Cloud_EX2100_2.30.165.bin (vulnerable)
EX2100 - My_Cloud_EX2100_2.30.172.bin (vulnerable)
EX4100 - My_Cloud_EX4100_2.30.165.bin (vulnerable)
EX4100 - My_Cloud_EX4100_2.30.172.bin (vulnerable)
DL2100 - My_Cloud_DL2100_2.30.165.bin (vulnerable)
DL2100 - My_Cloud_DL2100_2.30.172.bin (vulnerable)
DL4100 - My_Cloud_DL4100_2.30.165.bin (vulnerable)
DL4100 - My_Cloud_DL4100_2.30.172.bin (vulnerable)
PR2100 - My_Cloud_PR2100_2.30.165.bin (vulnerable)
PR2100 - My_Cloud_PR2100_2.30.172.bin (vulnerable)
PR4100 - My_Cloud_PR4100_2.30.165.bin (vulnerable)
PR4100 - My_Cloud_PR4100_2.30.172.bin (vulnerable)

03.2 - Command injection

Too many vulnerable files to list.

My Cloud Gen 2 - My_Cloud_GLCR_2.30.165.bin (vulnerable)
My Cloud Gen 2 - My_Cloud_GLCR_2.30.172.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.165.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.172.bin (vulnerable)
EX2 - My_Cloud_KC2A_2.11.168.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.165.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.174.bin (vulnerable)
EX4 - My_Cloud_LT4A_2.11.168.bin (vulnerable)
EX2100 - My_Cloud_EX2100_2.30.165.bin (vulnerable)
EX2100 - My_Cloud_EX2100_2.30.172.bin (vulnerable)
EX4100 - My_Cloud_EX4100_2.30.165.bin (vulnerable)
EX4100 - My_Cloud_EX4100_2.30.172.bin (vulnerable)
DL2100 - My_Cloud_DL2100_2.30.165.bin (vulnerable)
DL2100 - My_Cloud_DL2100_2.30.172.bin (vulnerable)
DL4100 - My_Cloud_DL4100_2.30.165.bin (vulnerable)
DL4100 - My_Cloud_DL4100_2.30.172.bin (vulnerable)
PR2100 - My_Cloud_PR2100_2.30.165.bin (vulnerable)
PR2100 - My_Cloud_PR2100_2.30.172.bin (vulnerable)
PR4100 - My_Cloud_PR4100_2.30.165.bin (vulnerable)
PR4100 - My_Cloud_PR4100_2.30.172.bin (vulnerable)

The status of other firmware versions and/or reported vulnerabilities is unknown.


MyCloud Exploit / Backdoor
Multiple serious vulnerabilitys including Backdoor etc. as disclosed by gulftech.org
Major security vulnerability/exploitation discovered
Major Backdoor affecting several My Cloud devices
#2

Thanks for the overview.
The command injection is post auth, but it can be any user without admin rights, correct?


#3

Yes, per the report, that appears to be the case.


#4

The following vulnerabilities have been tested and verified on a WD My Cloud PR4100 running firmware version 2.30.172. These hacks are trivial to execute, and within seconds I had unrestricted shell access, requiring no authentication whatsoever.

01 - Unrestricted file upload
03.1 - Cross site request forgery
03.2 - Command injection

I won’t post instructions here, but they are readily available elsewhere online.


Major Backdoor affecting several My Cloud devices
#5

There seems to be a great deal of confusion as to what firmware versions may or may not be vulnerable, so here are steps any user can take to see for themselves. These steps will not show how to actually exploit any given vulnerability, only how to compare files and note any changes which may have taken place.

First, download and install 7-Zip for Windows, then download the appropriate firmware versions for comparison.

7-Zip for Windows:

http://www.7-zip.org/download.html

My Cloud Gen 2 Firmware:

http://download.wdc.com/nas/My_Cloud_GLCR_2.30.165.bin
http://download.wdc.com/nas/My_Cloud_GLCR_2.30.172.bin

My Cloud PR4100 Firmware:

http://download.wdc.com/nas/My_Cloud_PR4100_2.30.165.bin
http://download.wdc.com/nas/My_Cloud_PR4100_2.30.172.bin

In this case, firmware versions 2.30.165 and 2.30.172 will be compared for both the single bay My Cloud Gen 2 and the quad bay My Cloud PR4100. These models represent each end of the spectrum, thus giving a good basis for comparison. Other models and firmware versions may also be compared using the steps outlied below.

After downloading and installing 7-Zip for Windows, navigate to the downloaded firmware bin file for any given firmware image, then right click on the file and navigate to "7-Zip / Open Archive / #". This causes 7-Zip to open files using a special parsing mode, thus it attempts to distinguish individual files based on their type.

A list of compressed files should be shown. Double click on the 6.squashfs file to open it using 7-Zip. This is the firmware image.cfs file without the header, which is contained in the 5 file just above it.

A different list of folders and files should be shown. These are the basis for much of the firmware root filesystem, which is reloaded after every reboot. In this case, the vulnerable multi_uploadify.php file will be used as a basis for comparison, but other vulnerable files may be compared using a similar method, except that the paths may vary.

My_Cloud_GLCR_2.30.165.bin\6.squashfs\web\pages\jquery\uploader\

Navigate by double clicking folders until the correct path is displayed in the 7-Zip address bar, located just above the file list window.

Right click on the multi_uploadify.php file and click “Edit” to open it in a text editor, then select all text and copy it to the clipboard.

Open a web browser and visit the Diff Checker website, located at the following URL. Alternatively, one may use a different diff checker if they wish.

https://www.diffchecker.com

To keep things simple, it’s best to open the multi_uploadify.php file from the single bay My Cloud Gen 2 firmware version 2.30.165, then paste it’s contents into the first (left) Diff Checker website window. The second (right) Diff Checker website window will be used to paste text to be compared against the original text. This will serve as the basis of comparison for all subsequent firmware versions one wishes to check.

My_Cloud_GLCR_2.30.165.bin <--> My_Cloud_GLCR_2.30.172.bin
My_Cloud_GLCR_2.30.165.bin <--> My_Cloud_PR4100_2.30.165.bin
My_Cloud_GLCR_2.30.165.bin <--> My_Cloud_PR4100_2.30.172.bin
My_Cloud_GLCR_2.30.165.bin <--> etc...

Note: This process only works for text files. Binary files must be extracted and compared using different methods.

As you can see, in virtually all firmware versions compared, regardless of the My Cloud model, the multi_uploadify.php file is identical. Given the fact that the file has been tested and confirmed to be vulnerable on the My Cloud PR4100 running firmware version 2.30.172, it stands to reason that the file is very likely to be vulnerable on other models and firmware versions too.


Multiple serious vulnerabilitys including Backdoor etc. as disclosed by gulftech.org
#6

#8

I just wanted to update you all on this issue. We have released a new FW available today for manual download and installation. It will be available for pushed OTA FW update next week. Please see the post below.