Serurity/Privacy Vulnerability Found in Firmware Version 2.30.165

I just found a security/privacy vulnerability in the latest firmware version 2.30.165 for the My Cloud PR4100 NAS, but it likely affects many other models too. It’s possible that this security/privacy vulnerability may have been reported previously, although I have seen no mention of it.

The dashboard has an option where a user can generate system logs (which are quite extensive) and send them to WD Support along with a request for help.

The “Request Automated Support” section calls a PHP page named sendLogToSupport.php to generate the log file, then upload it to an FTP server. The user names and passwords are hard-coded into the source code, and the zip file is not encrypted. Not to mention the fact that FTP is NOT secure. The full system URL to the PHP page is as follows:

http://MyCloudPR4100/web/php/sendLogToSupport.php

The following is a code snippet highlighting the security/privacy vulnerability.

$accountPw = "bnfa_user:4bnfa_u!";
$folderName = "bnfa";
$curlCmd = "curl --silent -4 -T \"$logFilePath\" \"ftp://ftpext2.wdc.com\" --user \"$accountPw\" ; echo $?";
$output = shell_exec($curlCmd);

The following is the complete function where the code shown above is executed.

function send_log($dev) {
    $serial_num = get_serial_number();
    $time_stamp = time();

    if (strlen($serial_num) == 0) {
        //echo "<info><status>ng</status></info>";
        //return;

        $serial_num = "WXF1A61E2119";
    }
    $logFilename = "systemLog_".$dev.
    "_".$serial_num.
    "_".$time_stamp;
    $logFilePath = "/tmp/$logFilename.zip"; //systemLog_LT4A_WCAZA0470171_1338507712.zip

    $accountPw = "lt4a_user:4lt4a_u!";
    $folderName = "";
    switch ($dev) {
        case 'BZVM': //zion
            $accountPw = "bzvm_user:4bzvm_u!";
            break;
        case 'KC2A': //kc
            $accountPw = "kc2a_user:4kc2a_u!";
            break;
        case 'LT4A': //lt4a
            $accountPw = "lt4a_user:4lt4a_u!";
            break;
        case 'GLCR': //glacier
            $accountPw = "glcr_user:4glcr_u!";
            $folderName = "glcr";
            break;
        case 'BWZE': //yellowstone
            $accountPw = "bwze_user:4bwze_u!";
            $folderName = "bwze";
            break;
        case 'BWAZ': //yosemite
            $accountPw = "bwaz_user:4bwaz_u!";
            $folderName = "bwaz";
            break;
        case 'BNEZ': //sprite
            $accountPw = "bnez_user:4bnez_u!";
            $folderName = "bnez";
            break;
        case 'BBAZ': //aurora
            $accountPw = "bbaz_user:4bbaz_u!";
            $folderName = "bbaz";
            break;
        case 'BG2Y': //black ice
            $accountPw = "bg2y_user:4bg2y_u!";
            $folderName = "bg2y";
            break;
        case 'BAGX': //Mirrorman
            $accountPw = "bagx_user:4bagx_u!";
            $folderName = "bagx";
            break;
        case 'BWVZ': //GrandTeton
            $accountPw = "bwvz_user:4bwvz_u!";
            $folderName = "bwvz";
            break;
        case 'BVBZ': //Ranger Peak 
            $accountPw = "bvbz_user:4bvbz_u!";
            $folderName = "bvbz";
            break;
        case 'BNFA': //Black Canyon
            $accountPw = "bnfa_user:4bnfa_u!";
            $folderName = "bnfa";
            break;
        case 'BBCL': //Bryce Canyon
            $accountPw = "bbcl_user:4bbcl_u!";
            $folderName = "bbcl";
            break;
    }

    if (get_system_log($logFilePath, $logFilename)) {
        //curl -4 -T $logFilePath ftp://ftpext2.wdc.com --user ${supportFTPLogin} 2> /dev/null
        $curlCmd = "curl --silent -4 -T \"$logFilePath\" \"ftp://ftpext2.wdc.com\" --user \"$accountPw\" ; echo $?";

        //CURLE_LOGIN_DENIED (67)

        $output = shell_exec($curlCmd);
        unlink($logFilePath);
        $output = trim($output, "\n");
        header('Content-type: text/xml');
        echo "<info><status>ok</status><logfile>$logFilename.zip</logfile><serial_num>$serial_num</serial_num><code>$output</code></info>";
    } else {
        header('Content-type: text/xml');
        echo "<info><status>ng</status><code>-1</code><msg>Error in generating system log.</msg><path>$logFilePath</path><file>$logFilename</file></info>";
    }
}

Hope you sent post to WD directly. Also, is this firmware MORE secure overall than previous ones, and do you recommend installing it now or stay with older one?

I looked at what was in a system log file, and would never send one to WD without serious redaction. And I wouldn’t send it using the automated system…

Good to know, I was not going to install the new F/W on my DL2100 until the first person said, yea, it is OK, no problems so far!