Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices

Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices

Getty Pictures

Final week’s mass-wiping of Western Digital My E-book Reside storage units concerned the exploitation of not only one vulnerability but additionally a second vital safety bug that allowed hackers to remotely carry out a manufacturing unit reset with no password, an investigation exhibits.

The vulnerability is outstanding as a result of it made it trivial to wipe what is probably going petabytes of person knowledge. Extra notable nonetheless was that, based on the susceptible code itself, a Western Digital developer actively eliminated code that required a sound person password earlier than permitting manufacturing unit resets to proceed.

Completed and undone

The undocumented vulnerability resided in a file aptly named system_factory_restore. It accommodates a PHP script that performs resets, permitting customers to revive all default configurations and wipe all knowledge saved on the units.

Usually, and for good cause, manufacturing unit resets require the particular person making the request to supply a person password. This authentication ensures that units uncovered to the Web can solely be reset by the official proprietor and never by a malicious hacker.

Because the following script exhibits, nevertheless, a Western Digital developer created 5 traces of code to password-protect the reset command. For unknown causes, the authentication verify was cancelled, or in developer parlance, it was commented out, as indicated by the double / character firstly of every line.

operate submit($urlPath, $queryParams = null, $ouputFormat="xml") {
    // if(!authenticateAsOwner($queryParams))
    // 
    //      header("HTTP/1.0 401 Unauthorized");
    //      return;
    // 

“The seller commenting out the authentication within the system restore endpoint actually does not make issues look good for them,” HD Moore, a safety skilled and the CEO of community discovery platform Rumble, advised Ars. “It’s like they deliberately enabled the bypass.”

To use the vulnerability, the attacker would have needed to know the format of the XML request that triggers the reset. That’s “not fairly as simple as hitting a random URL with a GET request, however [it’s] not that far off, both,” Moore stated.

Dude, the place’s my knowledge?

The invention of the second exploit comes 5 days after individuals everywhere in the world reported that their My E-book Reside units had been compromised after which factory-reset so that every one saved knowledge was wiped. My E-book Reside is a book-sized storage system that makes use of an Ethernet jack to hook up with house and workplace networks in order that linked computer systems have entry to the info on it. Approved customers can even entry their information and make configuration modifications over the Web. Western Digital stopped supporting the My E-book Reside in 2015.

Western Digital personnel posted an advisory following the mass wiping that stated it resulted from attackers exploiting CVE-2018-18472. The distant command execution vulnerability was discovered in late 2018 by safety researchers Paulos Yibelo and Daniel Eshetu. As a result of it got here to mild three years after Western Digital stopped supporting the My E-book Reside, the corporate by no means mounted it.

An evaluation carried out by Ars and Derek Abdine, CTO at safety agency Censys, discovered that the units hit by final week’s mass hack had additionally been subjected to assaults that exploited the unauthorized reset vulnerability. The extra exploit is documented in log information extracted from two hacked units.

One of many logs was posted within the Western Digital help discussion board the place the mass compromise first got here to mild. It exhibits somebody from the IP tackle 94.102.49.104 efficiently restoring a tool:

rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 PARAMETER System_factory_restore POST : erase = none
rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 OUTPUT System_factory_restore POST SUCCESS

A second log file I obtained from a hacked My E-book Reside system confirmed a unique IP tackle—23.154.177.131—exploiting the identical vulnerability. Listed below are the telltale traces:

Jun 16 07:28:41 MyBookLive REST_API[28538]: 23.154.177.131 PARAMETER System_factory_restore POST : erase = format
Jun 16 07:28:42 MyBookLive REST_API[28538]: 23.154.177.131 OUTPUT System_factory_restore POST SUCCESS

After presenting these findings to Western Digital representatives, I acquired the next affirmation: “We are able to verify that in a minimum of a number of the circumstances, the attackers exploited the command injection vulnerability (CVE-2018-18472), adopted by the manufacturing unit reset vulnerability. It’s not clear why the attackers exploited each vulnerabilities. We’ll request a CVE for the manufacturing unit reset vulnerability and can replace our bulletin to incorporate this data.”

This vulnerability has been password-protected

The invention raises a vexing query: if the hackers had already obtained full root entry by exploiting CVE-2018-18472, what want did they’ve for this second safety flaw? There’s no clear reply, however based mostly on the proof out there, Abdine has provide you with a believable concept—that one hacker first exploited CVE-2018-18472 and a rival hacker later exploited the opposite vulnerability in an try to wrest management of these already compromised units.

The attacker who exploited CVE-2018-18472 used the code execution functionality it supplied to switch a file within the My E-book Reside stack named language_configuration.php, which is the place the vulnerability is positioned. In accordance with a recovered file, the modification added the next traces:

operate put($urlPath, $queryParams=null, $ouputFormat="xml"){

    parse_str(file_get_contents("php://enter"), $modifications);

    $langConfigObj = new LanguageConfiguration();
    if(!isset($modifications["submit"]) || sha1($modifications["submit"]) != "56f650e16801d38f47bb0eeac39e21a8142d7da1")
    
    die();
    

The change prevented anybody from exploiting the vulnerability with out the password that corresponds to the cryptographic SHA1 hash 56f650e16801d38f47bb0eeac39e21a8142d7da1. It seems that the password for this hash is p$EFx3tQWoUbFcpercentBpercentR$ok@. The plaintext seems within the recovered log file right here.

A separate modified language_configuration.php file recovered from a hacked system used a unique password that corresponds to the hash 05951edd7f05318019c4cfafab8e567afe7936d4. The hackers used a 3rd hash—b18c3795fd377b51b7925b2b68ff818cc9115a47—to password-protect a separate file named accessDenied.php. It was possible accomplished as an insurance coverage coverage within the occasion that Western Digital launched an replace that patched language_configuration.

Up to now, makes an attempt to crack these two different hashes haven’t succeeded.

In accordance with Western Digital’s advisory linked above, a number of the My E-book Reside units hacked utilizing CVE-2021-18472 had been contaminated with malware known as .nttpd,1-ppc-be-t1-z, which was written to run on the PowerPC {hardware} utilized by My E-book Reside units. One person within the help discussion board reported a hacked My E-book Reside receiving this malware, which makes units a part of a botnet known as Linux.Ngioweb.

A concept emerges

So why would somebody who efficiently wrangled so many My E-book Reside units right into a botnet flip round and wipe and reset them? And why would somebody use an undocumented authentication bypass once they have already got root entry?

The more than likely reply is that the mass wipe and reset was carried out by a unique attacker, very presumably a rival who both tried to take management of the rival’s botnet or just wished to sabotage it.

“As for motive for POSTing to this [system_factory_restore] endpoint on a mass scale, it’s unknown, but it surely could possibly be an try at a rival botnet operator to take over these units or render them ineffective, or somebody who wished to in any other case disrupt the botnet which has possible been round for a while, since these points have existed since 2015,” Abdine wrote in a latest weblog submit.

The invention of this second vulnerability implies that My E-book Reside units are much more insecure than most individuals thought. It provides authority to Western Digital’s advice to all customers to disconnect their units from the Web. Anybody utilizing one in every of these units ought to heed the decision instantly.

For a lot of hacked customers who misplaced years’ or a long time’ value of information, the considered shopping for one other Western Digital storage system might be out of the query. Abdine, nevertheless, says that My Cloud Reside units, which changed Western Digital’s My E-book Reside merchandise, have a unique codebase that doesn’t comprise both of the vulnerabilities exploited within the latest mass wiping.

“I took a have a look at the My Cloud firmware, too,” he advised me. “It is rewritten and bears some, however largely little, resemblance to My E-book Reside code. So it does not share the identical points.”


Supply hyperlink

About vishvjit solanki

Check Also

Facebook Wants to Court Creators. It Could Be a Tough Sell.

SAN FRANCISCO — Over the previous 18 months, Chris Cox, Fb’s prime product govt, watched …

Leave a Reply

Your email address will not be published. Required fields are marked *

x