Western Digital updated its MyCloud devices to fix a hardcoded backdoor admin account, in addition to other vulnerabilities.
The vulnerabilities in WDMyCloud firmware releases prior to version 2.30.165 and affect devices such as MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100, officials said.
An attacker could leverage is vulnerabilities to gain remote root code execution, said GulfTech security researcher James Bercegay, who discovered the issues.
“The root of the problem here is due to the misuse and misunderstanding of the PHP gethostbyaddr() function used within PHP, by the developer of this particular piece of code. From the PHP manual this functions return values are defined as the following for gethostbyaddr():’Returns the host name on success, the unmodified ip_address on failure, or FALSE on malformed input,’” Bercegay said.
The vulnerable code could give an attacker the ability to define a remote auth server.
In a perfect world, the result should fail if an invalid host is defined, but a series of bugs mean checks end up bypassed, allowing an attacker to go after the issue to upload any file to the server.
While analyzing CGI binaries on the webserver, Bercegay found code where login functionality would specifically look for an admin user named “mydlinkBRionyg” and would accept the password “abc12345cba.”
The backdoor could then convert into a root shell allowing an attacker to execute any commands as root and gain control of the affected device. Damaging a device would be easy and would not require authentication.
“The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as ‘wdmycloud’ and ‘wdmycloudmirror’ etc.,” Bercegay said.
Firmware release 2.30.174 addresses the vulnerabilities.