My Cloud is a popular personal cloud storage unit that consumers can use to organize photos and videos. It hosts files but also has the ability to sync them with various cloud and web-based services. Research carried out by GulfTech researcher James Bercegay uncovered severe vulnerabilities, including an unrestricted file upload vulnerability. Exploiting this, an attacker can upload any file to the server that they choose.
But the real problem is the backdoor, which threat actors could use to gain control over the device, exfiltrate information and spread malware.
“The login functionality specifically looks for an admin user named ‘mydlinkBRionyg’ and will accept the password of ‘abc12345cba’ if found,” Bercegay said in a blog. “This is a classic backdoor. Simply login with the credentials that I just mentioned.” He added, “I easily could turn this backdoor into a root shell, and gain control of the affected device. A remote attacker could now execute any commands as root.”
The triviality of exploiting this issue makes it very dangerous and even wormable, he added.
“An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag makes a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud,” he said.
In a proof of concept, he showed that such a malicious link could totally destroy a WDMyCloud without the need for any type of authentication whatsoever.
“There is nothing you can do about it except delete the file, as the credentials are hard-coded into the binary itself,” Bercegay said.
Interestingly, further research showed that the D-Link DNS-320L has the same hard-coded backdoor and the same file upload vulnerability. However, updated device firmware removed the backdoor in the D-Link devices back in 2014.
“It seems that the WDMyCloud software shares a large amount of the D-Link DNS-320L code, backdoor and all. There are also other undeniable examples, such as misspelled function names and other anomalies that match up within both the WDMyCloud and the D-Link DNS-320L ShareCenter code,” Bercegay said.
There was a time frame in which both devices were vulnerable at the same time in the wild—roughly early 2014 to later in 2014.
“It is interesting to think about how before D-Link updated their software two of the most popular NAS device families in the world, sold by two of the most popular tech companies in the world, were both vulnerable at the same time, to the same backdoor, for a while,” noted Bercegay.
Aside from the file upload flaw and the backdoor, Bercegay also found that a cybercriminal could also cause a denial-of-service (DoS) attack using the web interface.
“[He] suggests that you could load a script (through one of the two security holes) that would constantly change the language setting on the device, so that users of its web interface would see it rendered in constantly changing languages,” explained Tony Hart, chief architect at Corero Network Security, via email. “However, since the security holes allow arbitrary files to be loaded and executed, then they could be used to load the Mirai virus (for example), making these NAS devices part of a Mirai botnet.”
He added, “It’s no secret that many IoT devices are poorly architected from a security perspective. Many have little or no security in place, making it simple for attackers to take control of them for malicious purposes. This makes them effectively sitting ducks, just waiting to be compromised and enslaved into a botnet for use in DDoS events.”