Western Digital TV Media Player 1.03.07 LFI / CSRF / File Upload

#200
Topic created · 1 Posts · 0 Views
  • Western Digital TV Media Player version 1.03.07 suffers from file upload, local file inclusion, cross site request forgery, private key issue, remote SQL injection, and other vulnerabilities.
    MD5 | 25bbe7a316a961b85fad5f438278159a
    Download

    SEC Consult Vulnerability Lab Security Advisory < 20170518-0 >  
    =======================================================================  
    title: Multiple critical vulnerabilities  
    product: Western Digital TV Media Player  
    vulnerable version: 1.03.07  
    fixed version: -  
    CVE number: -  
    impact: Critical  
    homepage: https://www.wdc.com  
    found: 2017-01-17  
    by: Wan Ikram (Office Kuala Lumpur)  
    Fikri Fadzil (Office Kuala Lumpur)  
    SEC Consult Vulnerability Lab  
    An integrated part of SEC Consult  
    Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
    Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
    https://www.sec-consult.com  
    =======================================================================  
    Vendor description:  
    -------------------  
    "Play all your videos, music and photos in virtually any file format,  
    including MKV, MP4, AVI, MPEG-4, MOV and more. Enjoy media stored on a USB or  
    network storage device and any computer on your network. Plus, stream the  
    latest online entertainment."  
    Source: http://products.wdc.com/library/AAG/ENG/4178-706348.pdf  
    Business recommendation:  
    ------------------------  
    By combining the vulnerabilities documented in this advisory an attacker  
    can fully compromise a network which has the WDTV Media Player appliance  
    installed by using it as a jump-host to aid in further attacks.  
    SEC Consult recommends not to attach WDTV Media Player to the network until  
    a thorough security review has been performed by security professionals and  
    all identified issues have been resolved. The vendor was unresponsive and  
    did not provide a fix since January 2017!  
    Vulnerability overview/description:  
    -----------------------------------  
    The firmware does not validate the user input properly. Unauthenticated  
    attackers can pass specially crafted data to the entry points resulting in  
    the following vulnerabilities:  
    1. Unauthenticated Arbitrary File Upload  
    A malicious file can be uploaded into the webserver with no authentication  
    required. This is a critical vulnerability as it will lead to remote code execution.  
    2. Local File Inclusion (LFI)  
    With the existence of arbitrary file upload vulnerability, the impact of local  
    file inclusion can be leveraged to perform remote code execution. An  
    unauthenticated  user in the same network is able to execute any uploaded  
    malicious file with the help of this vulnerability.  
    3. Cross Site Request Forgery (CSRF)  
    All executable files in the webserver are vulnerable to CSRF which allow an  
    attacker to forge any type of request to any file.  
    4. Private Key Embedded In Firmware  
    Shipping a private key in firmware will result to all users having the same  
    private key. This is an insecure practice as anyone who owns the private key  
    may use the same key to decrypt other users' data.  
    Also check out our blog regarding the "House of Keys" issue:  
    http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html  
    5. SQL Injection on SQLite Database  
    In the worst case, an attacker can exploit this vulnerability to create a  
    backdoor in the webserver.  
    6. Webserver Running with Root Privileges  
    The main binary (which contains the webserver and PHP) runs with root  
    privileges.  
    7. Login not protected against brute-force attacks  
    Despite only a password is needed to login (without username), this  
    vulnerability is considered high as there is no protection against brute force  
    attacks.  
    8. Full Path Disclosure  
    Due to improper input validation and weak webserver configuration, it is  
    possible for an attacker to retrieve the full path of the web directory.  
    Proof of concept:  
    -----------------  
    Western Digital did not provide any patches since January 2017. The proof  
    of concept URLs have been removed from this advisory for most issues.  
    1. Unauthenticated Arbitrary File Upload  
    There are two files that have been found vulnerable to this vulnerability to upload  
    a malicious PHP script to the device:  
    i) "/webserver/htdocs/web/jquery/uploader/uploadify.php"  
    ii) "/webserver/htdocs/upload.php"  
    The uploaded script can be executed via the Local File Inclusion vulnerability.  
    [PoC removed]  
    2. Local File Inclusion (LFI)  
    The PoC shown above in 1) is sufficient to prove that this vulnerability exists.  
    3. Cross Site Request Forgery (CSRF)  
    All publicly accessible scripts in the firmware were found to have no anti-CSRF  
    mechanisms implemented.  
    4. Private Key Embedded In Firmware  
    The private key used to encrypt communication via HTTPS protocol can be  
    retrieved from "/webserver/conf/server.key".  
    5. SQL Injection on SQLite Database  
    There are two parameters affected in "DB/connect2sqlite.php" namely:  
    i)  entry_id  
    ii) lang_id  
    6. Webserver Running with Root Privileges  
    With root privileges granted to the webserver, the "passwd" and "shadow" files  
    can be retrieved from "/etc" directory via the other critical vulnerabilities.  
    As the result, below is the password hash for the OS-level user.  
    root:GIBxjIlMZhNb2:0:0:root:/:/bin/sh  
    7. Login is not protected against brute-force attacks  
    Below shows the cURL request to login into the firmware. A "yes" message will  
    be returned for a valid credential. On the other hand, a message "no" will be  
    returned for invalid credentials.  
    [PoC removed]  
    8. Full Path Disclosure  
    The full path can be retrieved by visiting below URL:  
    http://$IP/DB/connect2sqlite.php  
    Vulnerable / tested versions:  
    -----------------------------  
    The following version has been tested and verified to be vulnerable. It is  
    assumed that earlier versions are affected as well:  
    1.03.07  
    Western Digital did not provide any information on which firmware versions  
    are affected.  
    Vendor contact timeline:  
    ------------------------  
    2017-01-18: Contacting vendor through "WD Support - Create a Support Case"  
    page (https://support.wdc.com/support/case.aspx?lang=en).  
    Assigned ticket number - 011817-11728265.  
    2017-01-19: Vendor: replies to the ticket asking for more clarification.  
    2017-01-20: Replied to the vendor, requesting security contact and encryption  
    keys  
    2017-01-23: Vendor: "we don't have a security department that we could forward  
    this concern"  
    2017-01-23: Telling support that there seems to be a security contact by  
    referencing other WD advisories, requesting security contact again  
    2017-01-24: Vendor: asking for affected product name and firmware version.  
    2017-01-24: Providing list of affected product name and firmware versions,  
    requesting security contact again  
    2017-01-25: Vendor: informs us that they "have already escalated the case from  
    their back end team", they will update us.  
    2017-02-09: Requesting a status update  
    2017-02-10: Vendor (support): back end team is already informed, they will  
    follow up  
    2017-02-10: Vendor security contact emails us  
    2017-02-16: Asking for encryption information to send advisory  
    2017-02-16: Vendor (security contact): requests security advisory to be shared  
    over unencrypted channel  
    2017-02-20: Provided advisory and proof of concept through insecure channel as  
    requested  
    2017-02-21: Vendor (security contact): requesting extension of deadline to a  
    period of 90 days from the date of detail disclosure  
    2017-02-22: Informing the vendor that we grant extension of disclosure but not  
    from detail disclosure date (2017-02-20), but from initial contact  
    date (2017-01-18) as they could have reacted faster in the first  
    place  
    Set latest disclosure date to 2017-04-19 (no answer from vendor)  
    for the WDTV media player advisory.  
    2017-03-07: Public disclosure of first advisory regarding WD MyCloud  
    https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170307-0_WD_MyCloud_OS_cmd_injection_file_upload_v10.txt  
    2017-03-13: Vendor: "The initial investigation from engineering is the web  
    server might be related to the WDTV dashboard or WD remote app usage"  
    Vendor requests more information on impact.  
    2017-03-22: Describing the critical impact of unauthenticated code execution  
    2017-03-22: Vendor forwards information to engineering teams  
    2017-05-09: Informing vendor of upcoming (and postponed) advisory release  
    (no answer)  
    2017-05-18: Public release of advisory  
    Solution:  
    ---------  
    There is currently no update available from the vendor.  
    Workaround:  
    -----------  
    None  
    Advisory URL:  
    -------------  
    https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    SEC Consult Vulnerability Lab  
    SEC Consult  
    Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
    Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
    About SEC Consult Vulnerability Lab  
    The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
    ensures the continued knowledge gain of SEC Consult in the field of network  
    and application security to stay ahead of the attacker. The SEC Consult  
    Vulnerability Lab supports high-quality penetration testing and the evaluation  
    of new offensive and defensive technologies for our customers. Hence our  
    customers obtain the most current information about vulnerabilities and valid  
    recommendation about the risk profile of new technologies.  
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    Interested to work with the experts of SEC Consult?  
    Send us your application https://www.sec-consult.com/en/Career.htm  
    Interested in improving your cyber security with the experts of SEC Consult?  
    Contact our local offices https://www.sec-consult.com/en/About/Contact.htm  
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    Mail: research at sec-consult dot com  
    Web: https://www.sec-consult.com  
    Blog: http://blog.sec-consult.com  
    Twitter: https://twitter.com/sec_consult  
    EOF Fikri Fadzil / @2017  
    

    Source: packetstormsecurity.com

Log in to reply