Backdoor Account Removed from Western Digital NAS HDD[source: bleepingcomputer]
by CIRT Team
A security researcher is urging owners of Western Digital MyCloud NAS devices to update the firmware of their portable hard-drives to fix a series of important security bugs he reported to the vendor, among which there is an easy exploitable and wormable hardcoded (backdoor) account.
James Bercegay, a security researcher with GulfTech Research and Development, discovered and reported these flaws to Western Digital in June 2017.
The researcher published a detailed report last Wednesday after Western Digital released firmware updates.
RCE, backdoor, and an CSRF
The expansive report describes three main flaws that can be abused for different results. A short summary of all the flaws is available below, but for more detailed analysis of each vulnerability readers should refer to Bercegay’s bug report:
1) Unrestricted file upload – A PHP file found on the WD MyCloud’s built-in web server allows an attacker to upload files on the device. Bercegay says he used this flaw to upload web shells on the device, which in turn granted him control over the device.
2) Hardcoded backdoor account – An attacker can log into vulnerable WD MyCloud NAS devices using the username “mydlinkBRionyg” and the password “abc12345cba”. Bercegay says the backdoor doesn’t give attackers admin access, but he was able to exploit another flaw and get root permissions for the backdoor account.
3) CSRF (Cross-Site Request Forgery) – A CSRF bug that can be exploited for executing rogue commands on the device and for playing stupid pranks by resetting the device’s backend panel interface language.
For more, click here.