This Metasploit module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user. The module first performs a check to see if the target is WD MyCloud. If so, it attempts to trigger an authentication bypass (CVE-2018-17153) via a crafted GET request to /cgi-bin/network_mgr.cgi. If the server responds as expected, the module assesses the vulnerability status by attempting to exploit a commend injection vulnerability (CVE-2016-10108) in order to print a random string via the echo command. This is done via a crafted POST request to /web/google_analytics.php. If the server is vulnerable, the same command injection vector is leveraged to execute the payload. This module has been successfully tested against Western Digital MyCloud version 2.30.183.
0ce2f1497429d5e02113422d33a5d38d119e0b68b4af0aa04d5b4189b6ef07f8It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the My Cloud device. This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.30.172. This issue is not limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code.
d932fe2ac618b65b67fd2884481f4279bcc3c61802d9521bc7877fecf8dee16bWestern Digital My Cloud with firmware version 2.21.126 suffers from an authentication bypass vulnerability that allows escalation to administrative privileges.
c88ab660fa85b41bb542f8f2b6aed37318c1e0f94c9900423143b3b9734eae97Western Digital My Cloud suffers from a cross site request forgery vulnerability.
f1e32d8e968407585ee06292217c02999f1e2895ad2428169eed455bb97ada76Western Digital My Cloud suffers from a buffer overflow vulnerability that allows for remote code execution.
ef3db28b5d65198fc1596ad5bd1da3b198bc041b628b4020a65fe4abaae4f4feWestern Digital My Cloud suffers from multiple command injection vulnerabilities.
9d9db6ddc52d6fbe5d8a6f1251995090267e44bb3456666b4cd1502963749ddcWestern Digital My Cloud with firmware version 2.21.119 suffers from an authentication bypass vulnerability.
07f438c38cd48633a9f62d69405eb28f29efca802afed3c49bd9740875178ddcWordPress Google Analytics Counter Tracker plugin version 3.1.5 suffers from an unauthenticated PHP object injection vulnerability.
01654689636bef5925c245d7d1217729afb3e51f7b76fc4dde4ed5b426e5deedWordPress Calendar plugin version 1.3.7 suffers from a cross site scripting vulnerability.
ea052d53851c7851e99b09704105a6c6efd2ea912fa3031b5a38723b58c17e60
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed