Proto Local Address Foreign Address State PID/Program name The following list shows services with opened TCP/UDP listeners running on the root # netstat -tulpnĪctive Internet connections (only servers) When assessing the attack surface of a device, one of the first steps is to enumerate its exposed network services. Knowledge Base Article : “How to Update to My Cloud OS 5”.Release Notes : “My Cloud Firmware Version 5.04.114”.Unauthenticated Remote Code Execution (RCE) as rootĬ565243660ddfd1778c8d4a56191880f547780f53cc11e50c4d3b20fadd01247Īdvanced Research Team, CrowdStrike Intelligence Stack-based Buffer Overflow in login_mgr.cgi Overview ProductĪffected Firmware Versions (without claim for completeness) The following provides more details on the vulnerability, some of the challenges that had to be overcome, and how reliable exploitation was found to be possible before the issue was addressed in the latest firmware version. Nevertheless, we still wanted to make sure that the bug was indeed fixed properly, so we contacted the Western Digital Product Security Incident Response Team (PSIRT ), which quickly confirmed that they were already aware of the issue and that it had been addressed in the latest version 5.04.114 of the firmware.
With only about a week left until Pwn2Own, we decided not to submit our research and to consider participation in the next iteration, giving us a bit more lead time. Among other major changes, that version no longer used the vulnerable code we had looked into. However, while we were able to identify two reliable exploitation methods, Western Digital released the initial public version 5.04.114 of My Cloud OS 5 on October 27, 2020. Shortly after we started looking into the firmware, we identified a powerful pre-authentication stack-based buffer overflow bug, which turned out to be interesting to exploit on the actual device. While eagerly waiting for the device to arrive, our researchers decided to download the device firmware from the vendor’s website and begin investigating. Since some on the team had worked on similar devices in the past, we chose the Western Digital My Cloud Pro Series PR4100 NAS.
Even though originally we hadn’t planned to participate, we checked out the target list and decided to take a look at one of the targets to see where that would lead us. In October 2020, the Pwn2Own Tokyo 2020 announcement caught our attention.
0 kommentar(er)
