Repository files navigation

Tested onWD My Cloud EX2 Ultra versions2.31.149 and2.31.163.Should work on other MyCloud models.

for the write-up gohere.

• login_mgr.cgi matches credentials against/etc/shadow, therefore the"nobody" account can be used to gain a low-privilege user session by providing "nobody"'sdefault, empty password.

1. cgi-bin/webfile_mgr.cgi allows an attacker in the same network to performcommand injection by abusing the"name" parameter to thecgi_unzip command.

2. cgi-bin/webfile_mgr.cgi allows an attacker in the same network to issue thecgi_untar command on a user-controlled archive to create a persistentsymbolic link on the filesystem whichcan be written into by issuing the command again.

The pageweb/jquery/uploader/uploadify.php can be accesses without any credentials and allowsuploading arbitrary files to any location on the attached storage under either:

• /mnt/HD
• /mnt/USB
• /mnt/isoMount

• 2019-01-20 🍄 reported topsirt@wdc.com with 30-day deadline
• 2019-01-22ᴡᴅ sent an automated(?) response
• 2019-02-05 🍄 requested comfirmation of issues
• 2019-02-06ᴡᴅ asked for 90 days to fix the issues
• 2019-03-05 🍄 requested status update
• 2019-03-15ᴡᴅ asked foradditional 90-day extension
• 2019-03-16 🍄 agreed on 30-day extension
• 2019-03-27ᴡᴅreleased first patch (CVE-2019-9950, CVE-2019-9951)
• 2019-05-20ᴡᴅrelease of second patch (CVE-2019-9949)
• 2019-05-22 🍄 public disclosure