A GulfTech researcher spotted multiple vulnerabilities In Western Digital's MyCloud products, some of which could lead to remote code execution and unauthorised access.
The vulnerabilities include unrestricted file uploads, a hardcoded backdoor and several malicious security issues including cross site request forgery, command injection, denial of service and information disclosure flaws, researcher James Bercegay said in a 4 January disclosure.
One of the more notable vulnerabilities was an unrestricted file upload that was caused by the misuse and misunderstanding of the PHP gethostbyaddr() function used within PHP, by the developer of this particular piece of code.
Remote exploitation could be achieved by an attacker sending a post request that contains a file using the parameter "Filedata", a location for the file to be upload to which is specified within the "folder" parameter, and of course a bogus "Host" header, Bercegay said in the post.
The researcher also wrote a Metasploit module to exploit this issue which uses the vulnerability to upload a PHP webshell that can be executed by requesting a URL. Researchers also found a hardcoded backdoor admin account that can't be changed.
“The login functionality specifically looks for an admin user named "mydlinkBRionyg" and will accept the password of "abc12345cba" if found,” the researcher said in the disclosure. “This is a classic backdoor.”
The backdoor allows for the pre auth remote root code execution on the affected device.
Affected products include MyCloud, MyCloudMirror, MyCloud Gen 2, MyCloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100.
Researchers claim to have notified the firm of the vulnerabilities in June of last year to which the firm requested 90 days before full disclosure. Users are urged to upgrade their firmware to version 2.30.174 to prevent exploitation.