Western Digital TV Media Player 1.03.07 LFI / CSRF / File Upload

Western Digital TV Media Player version 1.03.07 suffers from file upload, local file inclusion, cross site request forgery, private key issue, remote SQL injection, and other vulnerabilities.


MD5 | 25bbe7a316a961b85fad5f438278159a

SEC Consult Vulnerability Lab Security Advisory < 20170518-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: Western Digital TV Media Player
vulnerable version: 1.03.07
fixed version: -
CVE number: -
impact: Critical
homepage: https://www.wdc.com
found: 2017-01-17
by: Wan Ikram (Office Kuala Lumpur)
Fikri Fadzil (Office Kuala Lumpur)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Play all your videos, music and photos in virtually any file format,
including MKV, MP4, AVI, MPEG-4, MOV and more. Enjoy media stored on a USB or
network storage device and any computer on your network. Plus, stream the
latest online entertainment."

Source: http://products.wdc.com/library/AAG/ENG/4178-706348.pdf


Business recommendation:
------------------------
By combining the vulnerabilities documented in this advisory an attacker
can fully compromise a network which has the WDTV Media Player appliance
installed by using it as a jump-host to aid in further attacks.

SEC Consult recommends not to attach WDTV Media Player to the network until
a thorough security review has been performed by security professionals and
all identified issues have been resolved. The vendor was unresponsive and
did not provide a fix since January 2017!


Vulnerability overview/description:
-----------------------------------
The firmware does not validate the user input properly. Unauthenticated
attackers can pass specially crafted data to the entry points resulting in
the following vulnerabilities:

1. Unauthenticated Arbitrary File Upload
A malicious file can be uploaded into the webserver with no authentication
required. This is a critical vulnerability as it will lead to remote code execution.

2. Local File Inclusion (LFI)
With the existence of arbitrary file upload vulnerability, the impact of local
file inclusion can be leveraged to perform remote code execution. An
unauthenticated user in the same network is able to execute any uploaded
malicious file with the help of this vulnerability.

3. Cross Site Request Forgery (CSRF)
All executable files in the webserver are vulnerable to CSRF which allow an
attacker to forge any type of request to any file.

4. Private Key Embedded In Firmware
Shipping a private key in firmware will result to all users having the same
private key. This is an insecure practice as anyone who owns the private key
may use the same key to decrypt other users' data.

Also check out our blog regarding the "House of Keys" issue:
http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html


5. SQL Injection on SQLite Database
In the worst case, an attacker can exploit this vulnerability to create a
backdoor in the webserver.

6. Webserver Running with Root Privileges
The main binary (which contains the webserver and PHP) runs with root
privileges.

7. Login not protected against brute-force attacks
Despite only a password is needed to login (without username), this
vulnerability is considered high as there is no protection against brute force
attacks.

8. Full Path Disclosure
Due to improper input validation and weak webserver configuration, it is
possible for an attacker to retrieve the full path of the web directory.


Proof of concept:
-----------------

Western Digital did not provide any patches since January 2017. The proof
of concept URLs have been removed from this advisory for most issues.


1. Unauthenticated Arbitrary File Upload
There are two files that have been found vulnerable to this vulnerability to upload
a malicious PHP script to the device:
i) "/webserver/htdocs/web/jquery/uploader/uploadify.php"
ii) "/webserver/htdocs/upload.php"

The uploaded script can be executed via the Local File Inclusion vulnerability.
[PoC removed]


2. Local File Inclusion (LFI)
The PoC shown above in 1) is sufficient to prove that this vulnerability exists.


3. Cross Site Request Forgery (CSRF)
All publicly accessible scripts in the firmware were found to have no anti-CSRF
mechanisms implemented.


4. Private Key Embedded In Firmware
The private key used to encrypt communication via HTTPS protocol can be
retrieved from "/webserver/conf/server.key".


5. SQL Injection on SQLite Database
There are two parameters affected in "DB/connect2sqlite.php" namely:
i) entry_id
ii) lang_id


6. Webserver Running with Root Privileges
With root privileges granted to the webserver, the "passwd" and "shadow" files
can be retrieved from "/etc" directory via the other critical vulnerabilities.
As the result, below is the password hash for the OS-level user.

root:GIBxjIlMZhNb2:0:0:root:/:/bin/sh


7. Login is not protected against brute-force attacks
Below shows the cURL request to login into the firmware. A "yes" message will
be returned for a valid credential. On the other hand, a message "no" will be
returned for invalid credentials.

[PoC removed]

8. Full Path Disclosure
The full path can be retrieved by visiting below URL:

http://$IP/DB/connect2sqlite.php


Vulnerable / tested versions:
-----------------------------
The following version has been tested and verified to be vulnerable. It is
assumed that earlier versions are affected as well:

1.03.07

Western Digital did not provide any information on which firmware versions
are affected.


Vendor contact timeline:
------------------------
2017-01-18: Contacting vendor through "WD Support - Create a Support Case"
page (https://support.wdc.com/support/case.aspx?lang=en).
Assigned ticket number - 011817-11728265.
2017-01-19: Vendor: replies to the ticket asking for more clarification.
2017-01-20: Replied to the vendor, requesting security contact and encryption
keys
2017-01-23: Vendor: "we don't have a security department that we could forward
this concern"
2017-01-23: Telling support that there seems to be a security contact by
referencing other WD advisories, requesting security contact again
2017-01-24: Vendor: asking for affected product name and firmware version.
2017-01-24: Providing list of affected product name and firmware versions,
requesting security contact again
2017-01-25: Vendor: informs us that they "have already escalated the case from
their back end team", they will update us.
2017-02-09: Requesting a status update
2017-02-10: Vendor (support): back end team is already informed, they will
follow up
2017-02-10: Vendor security contact emails us
2017-02-16: Asking for encryption information to send advisory
2017-02-16: Vendor (security contact): requests security advisory to be shared
over unencrypted channel
2017-02-20: Provided advisory and proof of concept through insecure channel as
requested
2017-02-21: Vendor (security contact): requesting extension of deadline to a
period of 90 days from the date of detail disclosure
2017-02-22: Informing the vendor that we grant extension of disclosure but not
from detail disclosure date (2017-02-20), but from initial contact
date (2017-01-18) as they could have reacted faster in the first
place
Set latest disclosure date to 2017-04-19 (no answer from vendor)
for the WDTV media player advisory.
2017-03-07: Public disclosure of first advisory regarding WD MyCloud

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170307-0_WD_MyCloud_OS_cmd_injection_file_upload_v10.txt
2017-03-13: Vendor: "The initial investigation from engineering is the web
server might be related to the WDTV dashboard or WD remote app usage"
Vendor requests more information on impact.
2017-03-22: Describing the critical impact of unauthenticated code execution
2017-03-22: Vendor forwards information to engineering teams
2017-05-09: Informing vendor of upcoming (and postponed) advisory release
(no answer)
2017-05-18: Public release of advisory


Solution:
---------
There is currently no update available from the vendor.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Fikri Fadzil / @2017


Related Posts