Exploiting (and Patching) a Zero Day RCE Vulnerability in a Western Digital NAS
Рет қаралды 39,917
Күн бұрынLearn tricks and techniques like these, with us, in our amazing training courses!
flashback.sh/training
In this video we show you how we found, exploited and patched a chain of zero day vulnerabilities in a Western Digital (WD) Network Attached Storage (NAS) device. This chain allows an unauthenticated attacker to execute code as root and install a permanent backdoor on the NAS.
0:00 Intro
0:41 Why Drop A Zero Day?
2:51 Overview Of WD PR4100 NAS
4:01 OS3 vs OS5
5:18 Recon And Password Cracking
7:02 API Introduction
8:45 Accessing Auth API (Vulnerability #1)
10:07 Firmware Update (Vulnerability #2)
15:48 Exploit Walkthrough
18:32 Exploit Execution
19:56 Patching Vulnerability #2
22:41 Downgrading OS5 To OS3
24:07 One Week Update
The vulnerabilities affect most of the WD NAS line-up and their OS3 firmware versions and are unpatched as of 2021/02/25. The new OS5 firmware is not vulnerable. OS3 is in a limbo, it's not clear whether it is supported or not by WD, but WD's official response to a security advisory in November 2020 seems to indicate that it's out of support.
Please keep safe - do not expose your NAS to the Internet. If your device supports OS5, upgrade to that, otherwise you can use our patch to fix it, which needs to be done at every reboot.
Our patch can be found at:
github.com/pedrib/PoC/blob/ma...
github.com/rdomanski/Exploits...
The full advisory detailing the vulnerabilities can be found here: www.flashback.sh/blog/weekend...
CVE-2021-36224: Hard-coded User Credentials
CVE-2021-36225: Firmware Upgrade Can be Initiated by Low Privilege User
CVE-2021-36226: No Cryptographic Verification of Firmware Upgrades
Did you enjoy this video? Then follow us on Twitter, and subscribe to our channel for more awesome hacking videos.
~ Flashback Team
flashback.sh
/ flashbackpwn
@Maher-h 2 жыл бұрын
WD was clear when they said NOBODY can access ur data without ur password
@ttrss Жыл бұрын
😂😂
@johntoterhi6293 3 жыл бұрын
Can’t argue with Larry! You guys are the most entertaining people on KZbin right now.
@FlashbackTeam 3 жыл бұрын
That's quite a complement, we appreciate it :D
@Dom-xd4lq 2 жыл бұрын
Congratulations on being no.1 on hacker news 🎉
@puniaze9468 3 жыл бұрын
Comparitech research which is shown in video, belongs to me. After my 5 RCE vulnz , they started working on OS5 :D BTW good catch 👍
@piffdos Жыл бұрын
Great video flashback team, I waited so long to watch this and it was... painful to watch. I had my exploit chain get knocked out in the OS5 release and couldn't find a new chain in time for pwn2own. Watching this video showed me I was so close, I had discovered the nobody user, and the API but didn't catch that you could auth as the nobody user to that particular API call as the nobody user. That was a really good find!
@nickcastaldi1900 9 ай бұрын
Do you know how he found auth_username and auth_password? I didnt see that in the code shown and I didnt look too hard at any documented rest schematics.
@aaryanbhagat4852 2 жыл бұрын
Enjoying your content, please upload more!
@ndupontnet 2 жыл бұрын
You can actually make any change permanent by means of a custom script to be excuted by a cron, it's just a matter of including it in /usr/local/config/config.xml. Your script can be stored in /usr/local/config, and should ideally be only able to run once after boot, a bit like the /tmp/boot_finished file that is created by the firmware upon boot. EDIT : I've been using that thing since 2015, Optware-NG installed on a USB flashdrive is a nice addition.
@HK-sw3vi 3 жыл бұрын
awesome... please keep em coming
@cyber1377 3 жыл бұрын
I can't think of why you would allow someone to do something as important as update firmware remotely, nice job guys!
@FlashbackTeam 3 жыл бұрын
We strongly believe that was an overlook and not a design decision!
@0x80O0oOverfl0w 2 жыл бұрын
Wow, not every day the vendor provides the tools to build a malicious firmware update, thanks WD!!! Nice videos and awesome explanations, looking forward to watching the rest of your videos. I have an upcoming assessment of a device for work so I'm hoping I can put some of this content to good use.
@GeorgeValkov Жыл бұрын
My router is advertised as open-source, so they have to provide that. Then of course people use that to make sure OpenWRT works and no one uses the original firmware. There is a populated UART header and holes to add a jTAG connector. Perfect for development.
@GeorgeValkov Жыл бұрын
This product allows 3rd party software to be installed. This requires a build environment, hence the open source.
@GRo0t 3 жыл бұрын
Excellent
@Aporlorxl23 3 жыл бұрын
Awesome
@CJ-ew8df 2 жыл бұрын
Great find guys! Could the recovery mode be accessible without uart with calculating the time it takes to load the GRUB bootloader and then hitting down and enter on an external HID device / usb keyboard. An Arduino could be programmed to perfect the timing? I guess it depends on if hid devices are detected
@FlashbackTeam 2 жыл бұрын
Yeah interesting question. We didn't try it. If you have the possibility try it and let us know!
@SolveElectronics Жыл бұрын
the script runs automatically at boot? or you must run it at boot? it wasnt clear when you said "automated shell script that you needs to be run at every boot". if its not automated, then you could automate it with a cron job
@thefastjojo 3 жыл бұрын
good content as always, time to migrate to FreeNAS with Rasp
@Valet2 Жыл бұрын
Is it safe to be exposed to the internet?
@0xrusty Жыл бұрын
How I can working like you? What is resources I can learn from them!
@aaryanbhagat4852 2 жыл бұрын
Can you tell me where can I get your flashback-wordlist, if it is for public use at all?
@FlashbackTeam 2 жыл бұрын
It's not public yet. We have scheduled to publish it in the future.
@ziomalZparafii 4 ай бұрын
Hmm, just wanted to do that patch but for me any call to API is authorized - even those that should not be according to this video, so what's wrong? I'm calling those urls via browser, not curl (so only GET) but that's should not change the result(?). Maybe I should just block/remove/rename whole www folder to cut off the whole API? (not sure if anyone after 2 years will answer here)
@lulztigre 9 ай бұрын
I have a kink for when the flashback team call me a noob
@Scratchmex Жыл бұрын
Can you share the technique to patch the firmware with arbitrary code? That script looks awesome. How do you patch it and repack it in the shell script? Thanks
@FlashbackTeam Жыл бұрын
We will actually release the whole patch soon, since it's been over a year since we dropped the video!
@000t9 3 жыл бұрын
So helpful information and cool bug :) you guys are the coolest 😎 but not the bug 😅 I think that is there any xxe bug :) I gonna search it thank you guys
@FlashbackTeam 3 жыл бұрын
Thanks and good luck hunting!
@amustaque97 3 жыл бұрын
@flashback, how did you create your custom wordlist??? Let's suppose there is a new product launch in the market and wants to try login bruteforce. What will be your methodology to create wordlist??
@FlashbackTeam 3 жыл бұрын
We would always try the dictionary attack first. We maintain some wordlist which are large and good enough to give us a good feeling about the coverage. We would also add on top of that some specific keywords customized for the target. Next step would be to use a pattern based brute-force before we would move on to a complete blind brute force.
@123strelok 3 жыл бұрын
7:09 if we start digging around var wblablabla ? haha
@GeorgeValkov Жыл бұрын
Since you've have the source of the firmware and you are building a firmware, image why not include your patch inside?
@FlashbackTeam Жыл бұрын
We wanted the patch to be the least intrusive as possible, as we felt people were more likely to apply a patch than to install a "hacked" firmware. The easiest way is to use a cron job or something similar to apply our patch at every boot.
@GeorgeValkov Жыл бұрын
@@FlashbackTeam Good point. Makes me curious to see if you offer both and ask people can vote which method they prefer. I compile custom OpenWRT for my devices and web site. I even wrote my own web server. It would be interesting to see if anyone can get in.
@gcm4312 3 жыл бұрын
> Release new OS one week before PWN2OWN > Not enough time for researchers to scrutinize the product > No pops > Markets the device as SAFU 😎 that PWN2OWN rule is BS.
@thebrotherhood1675 3 жыл бұрын
the voice is not clear, if you can include subtitles please would be better thanks
@FlashbackTeam 3 жыл бұрын
Thanks for the feedback, we just published English subtitles!
@nv1t Жыл бұрын
WD really sucks at responding to research. that's why exploiteers just went full disclosure back then. interesting to see nothing has changed.
@brymko 3 жыл бұрын
shitty vendors in bug bounty are really hypocritical imo, i would understand their lack of common knowledge when not signing up for p2o/hacker1/etc. But letting their products be essentially audited for free and then choose to be morons to work with is just insulting. Signing up for p2o knowing that a major update is about to drop is without a doubt one of those things. But i also think the rules for p2o are a bit shitty in that regard, let me elaborate. Remeber the deserialize vuln in the Ignition workstation almost every team got in miami 2020? Given the low difficulty of exploitation paired with random order of entry + half bounty/points for successive submits, dominate team could've submitted & have it fixed prior to the competition. Knocking out some teams and reducing the probability of another good team getting twice your points. IMO i enjoy your "retaliation", however i personally would've waited atleast the p0 90-days deadline to have _more_ backup in the community if the vendor decides to play crybaby and initiate legal actions.
Giggle Jiggle
Рет қаралды 27 МЛН
Tips Workshop
Рет қаралды 60 МЛН
Linux.conf.au 2012 -- Ballarat, Australia
Рет қаралды 796 М.
AppleTheme
Рет қаралды 142 М.
GLAZOV
Рет қаралды 41 М.
AppleTheme
Рет қаралды 142 М.