This article is more than 1 year old
Western Digital fixes remote execution bug in My Cloud Mirror
Cloudy storage kit needs firmware patch, will anybody notice?
Western Digital has issued a fix for its My Cloud Mirror backup disks, after ESET "detection engineer" Kacper Szurek found an authentication bypass with remote code execution in the system.
My Cloud Mirror is a backup hard drive product sold with personal cloud storage, which means the hardware might be left Internet-visible.
Szurek writes that the login form wasn't protected against command injection.
The “exec()
function is used without using escapeshellarg()
or escapeshellcmd()
.
“So we can create string which looks like this: wto -n "a" || other_command || "" -g
which means that wto
and other_command
will be executed.”
There's a bunch of other bugs in the My Cloud Mirror 2.11.153 firmware, Szurek writes, mostly relating to parameters that aren't escaped.
The affected files in the firmware include index.php, chk_vv_sharename.php, modUserName.php, upload.php, and a gem in login_checker.php.
“Inside lib/login_checker.php
there is login_check()
function which is used to check if user is logged, but it’s possible to bypass this function because it simply checks if $_COOKIE['username']
and $_COOKIE['isAdmin']
exist.”
Western Digital fixed the issues in release 2.11.157 in late December – so make sure your box has updated itself. ®