Multiple critical vulnerabilities in Western Digital TV Media Player

SEC Consult Vulnerability Lab Security Advisory < 20170518-0 >

=======================================================================

title: Multiple critical vulnerabilities

product: Western Digital TV Media Player

vulnerable version: 1.03.07

fixed version: -

CVE number: -

impact: Critical

homepage: www.wdc.com

found: 2017-01-17

by: Wan Ikram (Office Kuala Lumpur)

Fikri Fadzil (Office Kuala Lumpur)

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 

www.sec-consult.com

 

=======================================================================

 

Vendor description:

-------------------

"Play all your videos, music and photos in virtually any file format,

including MKV, MP4, AVI, MPEG-4, MOV and more. Enjoy media stored on a USB or

network storage device and any computer on your network. Plus, stream the

latest online entertainment."

 

Source: products.wdc.com/library/AAG/ENG/4178-706348.pdf

 

 

Business recommendation:

------------------------

By combining the vulnerabilities documented in this advisory an attacker

can fully compromise a network which has the WDTV Media Player appliance

installed by using it as a jump-host to aid in further attacks.

 

SEC Consult recommends not to attach WDTV Media Player to the network until

a thorough security review has been performed by security professionals and

all identified issues have been resolved. The vendor was unresponsive and

did not provide a fix since January 2017!

 

 

Vulnerability overview/description:

-----------------------------------

The firmware does not validate the user input properly. Unauthenticated

attackers can pass specially crafted data to the entry points resulting in

the following vulnerabilities:

 

1. Unauthenticated Arbitrary File Upload

A malicious file can be uploaded into the webserver with no authentication

required. This is a critical vulnerability as it will lead to remote code execution.

 

2. Local File Inclusion (LFI)

With the existence of arbitrary file upload vulnerability, the impact of local

file inclusion can be leveraged to perform remote code execution. An

unauthenticated user in the same network is able to execute any uploaded

malicious file with the help of this vulnerability.

 

3. Cross Site Request Forgery (CSRF)

All executable files in the webserver are vulnerable to CSRF which allow an

attacker to forge any type of request to any file.

 

4. Private Key Embedded In Firmware

Shipping a private key in firmware will result to all users having the same

private key. This is an insecure practice as anyone who owns the private key

may use the same key to decrypt other users' data.

 

Also check out our blog regarding the "House of Keys" issue:

blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html

 

 

5. SQL Injection on SQLite Database

In the worst case, an attacker can exploit this vulnerability to create a

backdoor in the webserver.

 

6. Webserver Running with Root Privileges

The main binary (which contains the webserver and PHP) runs with root

privileges.

 

7. Login not protected against brute-force attacks

Despite only a password is needed to login (without username), this

vulnerability is considered high as there is no protection against brute force

attacks.

 

8. Full Path Disclosure

Due to improper input validation and weak webserver configuration, it is

possible for an attacker to retrieve the full path of the web directory.

 

 

Proof of concept:

-----------------

 

Western Digital did not provide any patches since January 2017. The proof

of concept URLs have been removed from this advisory for most issues.

 

 

1. Unauthenticated Arbitrary File Upload

There are two files that have been found vulnerable to this vulnerability to upload

a malicious PHP script to the device:

i) "/webserver/htdocs/web/jquery/uploader/uploadify.php"

ii) "/webserver/htdocs/upload.php"

 

The uploaded script can be executed via the Local File Inclusion vulnerability.

[PoC removed]

 

 

2. Local File Inclusion (LFI)

The PoC shown above in 1) is sufficient to prove that this vulnerability exists.

 

 

3. Cross Site Request Forgery (CSRF)

All publicly accessible scripts in the firmware were found to have no anti-CSRF

mechanisms implemented.

 

 

4. Private Key Embedded In Firmware

The private key used to encrypt communication via HTTPS protocol can be

retrieved from "/webserver/conf/server.key".

 

 

5. SQL Injection on SQLite Database

There are two parameters affected in "DB/connect2sqlite.php" namely:

i) entry_id

ii) lang_id

 

 

6. Webserver Running with Root Privileges

With root privileges granted to the webserver, the "passwd" and "shadow" files

can be retrieved from "/etc" directory via the other critical vulnerabilities.

As the result, below is the password hash for the OS-level user.

 

root:GIBxjIlMZhNb2:0:0:root:/:/bin/sh

 

 

7. Login is not protected against brute-force attacks

Below shows the cURL request to login into the firmware. A "yes" message will

be returned for a valid credential. On the other hand, a message "no" will be

returned for invalid credentials.

 

[PoC removed]

 

8. Full Path Disclosure

The full path can be retrieved by visiting below URL:

 

http:// $IP/DB/connect2sqlite.php

 

 

Vulnerable / tested versions:

-----------------------------

The following version has been tested and verified to be vulnerable. It is

assumed that earlier versions are affected as well:

 

1.03.07

 

Western Digital did not provide any information on which firmware versions

are affected.

 

 

Vendor contact timeline:

------------------------

2017-01-18: Contacting vendor through "WD Support - Create a Support Case"

page (https://support.wdc.com/support/case.aspx?lang=en).

Assigned ticket number - 011817-11728265.

2017-01-19: Vendor: replies to the ticket asking for more clarification.

2017-01-20: Replied to the vendor, requesting security contact and encryption

keys

2017-01-23: Vendor: "we don't have a security department that we could forward

this concern"

2017-01-23: Telling support that there seems to be a security contact by

referencing other WD advisories, requesting security contact again

2017-01-24: Vendor: asking for affected product name and firmware version.

2017-01-24: Providing list of affected product name and firmware versions,

requesting security contact again

2017-01-25: Vendor: informs us that they "have already escalated the case from

their back end team", they will update us.

2017-02-09: Requesting a status update

2017-02-10: Vendor (support): back end team is already informed, they will

follow up

2017-02-10: Vendor security contact emails us

2017-02-16: Asking for encryption information to send advisory

2017-02-16: Vendor (security contact): requests security advisory to be shared

over unencrypted channel

2017-02-20: Provided advisory and proof of concept through insecure channel as

requested

2017-02-21: Vendor (security contact): requesting extension of deadline to a

period of 90 days from the date of detail disclosure

2017-02-22: Informing the vendor that we grant extension of disclosure but not

from detail disclosure date (2017-02-20), but from initial contact

date (2017-01-18) as they could have reacted faster in the first

place

Set latest disclosure date to 2017-04-19 (no answer from vendor)

for the WDTV media player advisory.

2017-03-07: Public disclosure of first advisory regarding WD MyCloud

www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170307-0_WD_MyCloud_OS_cmd_injection_file_upload_v10.txt

2017-03-13: Vendor: "The initial investigation from engineering is the web

server might be related to the WDTV dashboard or WD remote app usage"

Vendor requests more information on impact.

2017-03-22: Describing the critical impact of unauthenticated code execution

2017-03-22: Vendor forwards information to engineering teams

2017-05-09: Informing vendor of upcoming (and postponed) advisory release

(no answer)

2017-05-18: Public release of advisory

 

 

Solution:

---------

There is currently no update available from the vendor.

 

 

Workaround:

-----------

None

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SEC Consult Vulnerability Lab

 

SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/career/

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/contact/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF Fikri Fadzil / @2017