Hackers exploited 0-day, not 2018 bug, to mass-wipe My E-book Stay gadgets [Updated]

Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices [Updated]

Getty Photos

Replace 6/29/2021, 9:00 PM: Western Digital has revealed an update that claims the corporate will present knowledge restoration companies beginning early subsequent month. My E-book Stay prospects may even be eligible for a trade-in program to allow them to improve to My Cloud gadgets. A spokeswoman stated the information restoration service can be freed from cost.

The corporate additionally offered new technical particulars in regards to the zeroday, which is now being tracked as CVE-2021-35941. Firm officers wrote:

We’ve got heard issues in regards to the nature of this vulnerability and are sharing technical particulars to deal with these questions. We’ve got decided that the unauthenticated manufacturing facility reset vulnerability was launched to the My E-book Stay in April of 2011 as a part of a refactor of authentication logic within the gadget firmware. The refactor centralized the authentication logic right into a single file, which is current on the gadget as consists of/component_config.php and comprises the authentication kind required by every endpoint. On this refactor, the authentication logic in system_factory_restore.php was appropriately disabled, however the acceptable authentication kind of ADMIN_AUTH_LAN_ALL was not added to component_config.php, ensuing within the vulnerability. The identical refactor eliminated authentication logic from different recordsdata and appropriately added the suitable authentication kind to the component_config.php file.

The publish added:

We’ve got reviewed log recordsdata which we’ve obtained from affected prospects to know and characterize the assault. The log recordsdata we reviewed present that the attackers instantly linked to the affected My E-book Stay gadgets from a wide range of IP addresses in numerous international locations. Our investigation exhibits that in some instances, the identical attacker exploited each vulnerabilities on the gadget, as evidenced by the supply IP. The primary vulnerability was exploited to put in a malicious binary on the gadget, and the second vulnerability was later exploited to reset the gadget.

What follows is the article because it initially appeared:

Final week’s mass-wiping of Western Digital My E-book Stay storage gadgets concerned the exploitation of not only one vulnerability but in addition a second important safety bug that allowed hackers to remotely carry out a manufacturing facility reset with out a password, an investigation exhibits.

The vulnerability is outstanding as a result of it made it trivial to wipe what is probably going petabytes of consumer knowledge. Extra notable nonetheless was that, in response to the susceptible code itself, a Western Digital developer actively eliminated code that required a legitimate consumer password earlier than permitting manufacturing facility resets to proceed.

Finished and undone

The undocumented vulnerability resided in a file aptly named system_factory_restore. It comprises a PHP script that performs resets, permitting customers to revive all default configurations and wipe all knowledge saved on the gadgets.

Usually, and for good cause, manufacturing facility resets require the individual making the request to supply a consumer password. This authentication ensures that gadgets uncovered to the Web can solely be reset by the official proprietor and never by a malicious hacker.

Because the following script exhibits, nevertheless, a Western Digital developer created 5 strains of code to password-protect the reset command. For unknown causes, the authentication test was cancelled, or in developer parlance, it was commented out, as indicated by the double / character initially of every line.

perform publish($urlPath, $queryParams = null, $ouputFormat="xml") {
    // if(!authenticateAsOwner($queryParams))
    // {
    //      header("HTTP/1.0 401 Unauthorized");
    //      return;
    // }

“The seller commenting out the authentication within the system restore endpoint actually would not make issues look good for them,” HD Moore, a safety professional and the CEO of community discovery platform Rumble, advised Ars. “It’s like they deliberately enabled the bypass.”

To take advantage of the vulnerability, the attacker would have needed to know the format of the XML request that triggers the reset. That’s “not fairly as straightforward as hitting a random URL with a GET request, however [it’s] not that far off, both,” Moore stated.

Dude, the place’s my knowledge?

The invention of the second exploit comes 5 days after individuals everywhere in the world reported that their My Book Live devices had been compromised after which factory-reset so that each one saved knowledge was wiped. My E-book Stay is a book-sized storage gadget that makes use of an Ethernet jack to hook up with house and workplace networks in order that linked computer systems have entry to the information on it. Approved customers can even entry their recordsdata and make configuration adjustments over the Web. Western Digital stopped supporting the My E-book Stay in 2015.

Western Digital personnel posted an advisory following the mass wiping that stated it resulted from attackers exploiting CVE-2018-18472. The distant command execution vulnerability was discovered in late 2018 by safety researchers Paulos Yibelo and Daniel Eshetu. As a result of it got here to mild three years after Western Digital stopped supporting the My E-book Stay, the corporate by no means mounted it.

An evaluation carried out by Ars and Derek Abdine, CTO at safety agency Censys, discovered that the gadgets hit by final week’s mass hack had additionally been subjected to assaults that exploited the unauthorized reset vulnerability. The extra exploit is documented in log recordsdata extracted from two hacked gadgets.

One of many logs was posted within the Western Digital support forum the place the mass compromise first got here to mild. It exhibits somebody from the IP tackle efficiently restoring a tool:

rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: PARAMETER System_factory_restore POST : erase = none
rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: OUTPUT System_factory_restore POST SUCCESS

A second log file I obtained from a hacked My E-book Stay gadget confirmed a unique IP tackle——exploiting the identical vulnerability. Listed here are the telltale strains:

Jun 16 07:28:41 MyBookLive REST_API[28538]: PARAMETER System_factory_restore POST : erase = format
Jun 16 07:28:42 MyBookLive REST_API[28538]: OUTPUT System_factory_restore POST SUCCESS

After presenting these findings to Western Digital representatives, I obtained the next affirmation: “We will verify that in at the very least a number of the instances, the attackers exploited the command injection vulnerability (CVE-2018-18472), adopted by the manufacturing facility reset vulnerability. It’s not clear why the attackers exploited each vulnerabilities. We’ll request a CVE for the manufacturing facility reset vulnerability and can replace our bulletin to incorporate this data.”

This vulnerability has been password-protected

The invention raises a vexing query: if the hackers had already obtained full root entry by exploiting CVE-2018-18472, what want did they’ve for this second safety flaw? There’s no clear reply, however primarily based on the proof accessible, Abdine has give you a believable concept—that one hacker first exploited CVE-2018-18472 and a rival hacker later exploited the opposite vulnerability in an try to wrest management of these already compromised gadgets.

The attacker who exploited CVE-2018-18472 used the code execution functionality it offered to change a file within the My E-book Stay stack named language_configuration.php, which is the place the vulnerability is positioned. In line with a recovered file, the modification added the next strains:

perform put($urlPath, $queryParams=null, $ouputFormat="xml"){

    parse_str(file_get_contents("php://enter"), $adjustments);

    $langConfigObj = new LanguageConfiguration();
    if(!isset($adjustments["submit"]) || sha1($adjustments["submit"]) != "56f650e16801d38f47bb0eeac39e21a8142d7da1")

The change prevented anybody from exploiting the vulnerability with out the password that corresponds to the cryptographic SHA1 hash 56f650e16801d38f47bb0eeac39e21a8142d7da1. It seems that the password for this hash is p$EFx3tQWoUbFcpercentBpercentR$okay@. The plaintext seems within the recovered log file here.

A separate modified language_configuration.php file recovered from a hacked gadget used a unique password that corresponds to the hash 05951edd7f05318019c4cfafab8e567afe7936d4. The hackers used a 3rd hash—b18c3795fd377b51b7925b2b68ff818cc9115a47—to password-protect a separate file named accessDenied.php. It was probably executed as an insurance coverage coverage within the occasion that Western Digital launched an replace that patched language_configuration.

Thus far, makes an attempt to crack these two different hashes haven’t succeeded.

In line with Western Digital’s advisory linked above, a number of the My E-book Stay gadgets hacked utilizing CVE-2021-18472 had been contaminated with malware known as .nttpd,1-ppc-be-t1-z, which was written to run on the PowerPC {hardware} utilized by My E-book Stay gadgets. One consumer within the help discussion board reported a hacked My E-book Stay receiving this malware, which makes devices part of a botnet known as Linux.Ngioweb.

A concept emerges

So why would somebody who efficiently wrangled so many My E-book Stay gadgets right into a botnet flip round and wipe and reset them? And why would somebody use an undocumented authentication bypass after they have already got root entry?

The probably reply is that the mass wipe and reset was carried out by a unique attacker, very probably a rival who both tried to take management of the rival’s botnet or just wished to sabotage it.

“As for motive for POSTing to this [system_factory_restore] endpoint on a mass scale, it’s unknown, but it surely might be an try at a rival botnet operator to take over these gadgets or render them ineffective, or somebody who wished to in any other case disrupt the botnet which has probably been round for a while, since these points have existed since 2015,” Abdine wrote in a recent blog post.

The invention of this second vulnerability implies that My E-book Stay gadgets are much more insecure than most individuals thought. It provides authority to Western Digital’s advice to all customers to disconnect their gadgets from the Web. Anybody utilizing certainly one of these gadgets ought to heed the decision instantly.

For a lot of hacked customers who misplaced years’ or a long time’ value of information, the considered shopping for one other Western Digital storage gadget might be out of the query. Abdine, nevertheless, says that My Cloud Stay gadgets, which changed Western Digital’s My E-book Stay merchandise, have a unique codebase that doesn’t include both of the vulnerabilities exploited within the latest mass wiping.

“I took a take a look at the My Cloud firmware, too,” he advised me. “It is rewritten and bears some, however principally little, resemblance to My E-book Stay code. So it would not share the identical points.”

Recent Articles

Motorola TV, Moto Tab 8 to Launch in India on October 1: Report

Motorola could reportedly launch a brand new pill — Moto Tab 8 — and a TV throughout Flipkart's Large Billion Days Sale 2021....

Google may very well be engaged on not one, however two foldable Pixel telephones | Pocketnow

For years, we heard rumors that Google may be working on a foldable Pixel flagship behind the scenes, and we appear to be getting...

Sensor Tower’s 2021 State of Journey Apps Report: Installs in Q2 2021 Grew by 128 % Yr-Over-Yr

Journey apps in america had been negatively impacted by the journey bans imposed following the outbreak of COVID-19 in 2020....

Related Stories

Stay on op - Ge the daily news in your inbox