This Metasploit module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user. The module first performs a check to see if the target is WD MyCloud. If so, it attempts to trigger an authentication bypass (CVE-2018-17153) via a crafted GET request to /cgi-bin/network_mgr.cgi. If the server responds as expected, the module assesses the vulnerability status by attempting to exploit a commend injection vulnerability (CVE-2016-10108) in order to print a random string via the echo command. This is done via a crafted POST request to /web/google_analytics.php. If the server is vulnerable, the same command injection vector is leveraged to execute the payload. This module has been successfully tested against Western Digital MyCloud version 2.30.183.
0ce2f1497429d5e02113422d33a5d38d119e0b68b4af0aa04d5b4189b6ef07f8
It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the My Cloud device. This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.30.172. This issue is not limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code.
d932fe2ac618b65b67fd2884481f4279bcc3c61802d9521bc7877fecf8dee16b
Western Digital My Cloud with firmware version 2.21.126 suffers from an authentication bypass vulnerability that allows escalation to administrative privileges.
c88ab660fa85b41bb542f8f2b6aed37318c1e0f94c9900423143b3b9734eae97
Western Digital My Cloud suffers from a cross site request forgery vulnerability.
f1e32d8e968407585ee06292217c02999f1e2895ad2428169eed455bb97ada76
Western Digital My Cloud suffers from a buffer overflow vulnerability that allows for remote code execution.
ef3db28b5d65198fc1596ad5bd1da3b198bc041b628b4020a65fe4abaae4f4fe
Western Digital My Cloud suffers from multiple command injection vulnerabilities.
9d9db6ddc52d6fbe5d8a6f1251995090267e44bb3456666b4cd1502963749ddc
Western Digital My Cloud with firmware version 2.21.119 suffers from an authentication bypass vulnerability.
07f438c38cd48633a9f62d69405eb28f29efca802afed3c49bd9740875178ddc
WordPress Google Analytics Counter Tracker plugin version 3.1.5 suffers from an unauthenticated PHP object injection vulnerability.
01654689636bef5925c245d7d1217729afb3e51f7b76fc4dde4ed5b426e5deed
WordPress Calendar plugin version 1.3.7 suffers from a cross site scripting vulnerability.
ea052d53851c7851e99b09704105a6c6efd2ea912fa3031b5a38723b58c17e60