Security researchers at VerSprite have tested and discovered a few vulnerabilities in Western Digital's My Cloud NAS (Network Attached Storage) hard drive, marketed by the company as your own personal cloud server.
This device, sold across the world, allows users to place it in their home and access it via a local network, or even via an Internet connection when traveling around the globe.
It works the same way as any other cloud storage system, only you always know where your server is: on your desk, in the living room. As VerSprite researchers are now explaining, the WD My Cloud device, which runs a version of Debian Linux, allows users to interact with it via two methods: a Web-accessible UI (http://wdmycloud.local/UI/) and a RESTful API (http://wdmycloud.local/api/). By studying these system entry points, researchers were able to find two major flaws: a command injection issue and a cross-site request forgery (“CSRF”) vulnerability.
Command injection permitted by an unsanitized API
The first can be exploited only by users with authorized access to the device, by uploading large files of over 2GB, which are given malicious names. Because the My Cloud's API does not sanitize this file names, attackers can insert various commands, and easily give themselves root access to the device. A proof-of-concept video is embedded at the end of this post.
In case the attacker does not have physical access to the device, VerSprite researchers also detail a variation of this exploit, one in which the attacker places their 2GB file with the malicious name in the device's "Public" folder, which is created by default and made available to the local network for all devices with network or Internet access enabled.
Whenever an authenticated user would navigate to the Public folder using their Windows, Linux, or Mac My Cloud client application, the command in the file's name would be executed against the device's API, with the authenticated user's permissions. The file's name could in these cases contain instructions to create a new root-level user for the attacker.
CSRF attacks via the My Cloud Web application
The second vulnerability VerSprite security researchers found was in the device's Web application, which "do[es] not differentiate between genuine and forged HTTP requests," facilitating basic CSRF attacks. This vulnerability is a little bit harder to exploit since Internet access needs to be enabled, along with access to a valid session cookie and information about the WD My Cloud’s hostname or IP addresses.
Researchers say that, by using social engineering tricks and WebRTC, the chances of this vulnerability to work can be improved, which would allow hackers to carry out reverse shell attacks. As before, a proof-of-concept video is also provided. VerSprite confirms that firmware versions 04.01.03-421 and 04.01.04-422 are vulnerable, and Western Digital's staff are already preparing patches to be launched in the coming days.