SEC Consult Vulnerability Lab Security Advisory < 20170518-0 > ======================================================================= title: Multiple critical vulnerabilities product: Western Digital TV Media Player vulnerable version: 1.03.07 fixed version: - CVE number: - impact: Critical homepage: https://www.wdc.com found: 2017-01-17 by: Wan Ikram (Office Kuala Lumpur) Fikri Fadzil (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Play all your videos, music and photos in virtually any file format, including MKV, MP4, AVI, MPEG-4, MOV and more. Enjoy media stored on a USB or network storage device and any computer on your network. Plus, stream the latest online entertainment." Source: http://products.wdc.com/library/AAG/ENG/4178-706348.pdf Business recommendation: ------------------------ By combining the vulnerabilities documented in this advisory an attacker can fully compromise a network which has the WDTV Media Player appliance installed by using it as a jump-host to aid in further attacks. SEC Consult recommends not to attach WDTV Media Player to the network until a thorough security review has been performed by security professionals and all identified issues have been resolved. The vendor was unresponsive and did not provide a fix since January 2017! Vulnerability overview/description: ----------------------------------- The firmware does not validate the user input properly. Unauthenticated attackers can pass specially crafted data to the entry points resulting in the following vulnerabilities: 1. Unauthenticated Arbitrary File Upload A malicious file can be uploaded into the webserver with no authentication required. This is a critical vulnerability as it will lead to remote code execution. 2. Local File Inclusion (LFI) With the existence of arbitrary file upload vulnerability, the impact of local file inclusion can be leveraged to perform remote code execution. An unauthenticated user in the same network is able to execute any uploaded malicious file with the help of this vulnerability. 3. Cross Site Request Forgery (CSRF) All executable files in the webserver are vulnerable to CSRF which allow an attacker to forge any type of request to any file. 4. Private Key Embedded In Firmware Shipping a private key in firmware will result to all users having the same private key. This is an insecure practice as anyone who owns the private key may use the same key to decrypt other users' data. Also check out our blog regarding the "House of Keys" issue: http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html 5. SQL Injection on SQLite Database In the worst case, an attacker can exploit this vulnerability to create a backdoor in the webserver. 6. Webserver Running with Root Privileges The main binary (which contains the webserver and PHP) runs with root privileges. 7. Login not protected against brute-force attacks Despite only a password is needed to login (without username), this vulnerability is considered high as there is no protection against brute force attacks. 8. Full Path Disclosure Due to improper input validation and weak webserver configuration, it is possible for an attacker to retrieve the full path of the web directory. Proof of concept: ----------------- Western Digital did not provide any patches since January 2017. The proof of concept URLs have been removed from this advisory for most issues. 1. Unauthenticated Arbitrary File Upload There are two files that have been found vulnerable to this vulnerability to upload a malicious PHP script to the device: i) "/webserver/htdocs/web/jquery/uploader/uploadify.php" ii) "/webserver/htdocs/upload.php" The uploaded script can be executed via the Local File Inclusion vulnerability. [PoC removed] 2. Local File Inclusion (LFI) The PoC shown above in 1) is sufficient to prove that this vulnerability exists. 3. Cross Site Request Forgery (CSRF) All publicly accessible scripts in the firmware were found to have no anti-CSRF mechanisms implemented. 4. Private Key Embedded In Firmware The private key used to encrypt communication via HTTPS protocol can be retrieved from "/webserver/conf/server.key". 5. SQL Injection on SQLite Database There are two parameters affected in "DB/connect2sqlite.php" namely: i) entry_id ii) lang_id 6. Webserver Running with Root Privileges With root privileges granted to the webserver, the "passwd" and "shadow" files can be retrieved from "/etc" directory via the other critical vulnerabilities. As the result, below is the password hash for the OS-level user. root:GIBxjIlMZhNb2:0:0:root:/:/bin/sh 7. Login is not protected against brute-force attacks Below shows the cURL request to login into the firmware. A "yes" message will be returned for a valid credential. On the other hand, a message "no" will be returned for invalid credentials. [PoC removed] 8. Full Path Disclosure The full path can be retrieved by visiting below URL: http://$IP/DB/connect2sqlite.php Vulnerable / tested versions: ----------------------------- The following version has been tested and verified to be vulnerable. It is assumed that earlier versions are affected as well: 1.03.07 Western Digital did not provide any information on which firmware versions are affected. Vendor contact timeline: ------------------------ 2017-01-18: Contacting vendor through "WD Support - Create a Support Case" page (https://support.wdc.com/support/case.aspx?lang=en). Assigned ticket number - 011817-11728265. 2017-01-19: Vendor: replies to the ticket asking for more clarification. 2017-01-20: Replied to the vendor, requesting security contact and encryption keys 2017-01-23: Vendor: "we don't have a security department that we could forward this concern" 2017-01-23: Telling support that there seems to be a security contact by referencing other WD advisories, requesting security contact again 2017-01-24: Vendor: asking for affected product name and firmware version. 2017-01-24: Providing list of affected product name and firmware versions, requesting security contact again 2017-01-25: Vendor: informs us that they "have already escalated the case from their back end team", they will update us. 2017-02-09: Requesting a status update 2017-02-10: Vendor (support): back end team is already informed, they will follow up 2017-02-10: Vendor security contact emails us 2017-02-16: Asking for encryption information to send advisory 2017-02-16: Vendor (security contact): requests security advisory to be shared over unencrypted channel 2017-02-20: Provided advisory and proof of concept through insecure channel as requested 2017-02-21: Vendor (security contact): requesting extension of deadline to a period of 90 days from the date of detail disclosure 2017-02-22: Informing the vendor that we grant extension of disclosure but not from detail disclosure date (2017-02-20), but from initial contact date (2017-01-18) as they could have reacted faster in the first place Set latest disclosure date to 2017-04-19 (no answer from vendor) for the WDTV media player advisory. 2017-03-07: Public disclosure of first advisory regarding WD MyCloud https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170307-0_WD_MyCloud_OS_cmd_injection_file_upload_v10.txt 2017-03-13: Vendor: "The initial investigation from engineering is the web server might be related to the WDTV dashboard or WD remote app usage" Vendor requests more information on impact. 2017-03-22: Describing the critical impact of unauthenticated code execution 2017-03-22: Vendor forwards information to engineering teams 2017-05-09: Informing vendor of upcoming (and postponed) advisory release (no answer) 2017-05-18: Public release of advisory Solution: --------- There is currently no update available from the vendor. Workaround: ----------- None Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Fikri Fadzil / @2017
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/