Exploiting (and Patching) a Zero Day RCE Vulnerability in a Western Digital NAS

Learn tricks and techniques like these, with us, in our amazing training courses!
https://flashback.sh/training

In this video we show you how we found, exploited and patched a chain of zero day vulnerabilities in a Western Digital (WD) Network Attached Storage (NAS) device. This chain allows an unauthenticated attacker to execute code as root and install a permanent backdoor on the NAS.

0:00 Intro
0:41 Why Drop A Zero Day?
2:51 Overview Of WD PR4100 NAS
4:01 OS3 vs OS5
5:18 Recon And Password Cracking
7:02 API Introduction
8:45 Accessing Auth API (Vulnerability #1)
10:07 Firmware Update (Vulnerability #2)
15:48 Exploit Walkthrough
18:32 Exploit Execution
19:56 Patching Vulnerability #2
22:41 Downgrading OS5 To OS3
24:07 One Week Update

The vulnerabilities affect most of the WD NAS line-up and their OS3 firmware versions and are unpatched as of 2021/02/25. The new OS5 firmware is not vulnerable. OS3 is in a limbo, it's not clear whether it is supported or not by WD, but WD's official response to a security advisory in November 2020 seems to indicate that it's out of support.

Please keep safe - do not expose your NAS to the Internet. If your device supports OS5, upgrade to that, otherwise you can use our patch to fix it, which needs to be done at every reboot.

Our patch can be found at:
https://github.com/pedrib/PoC/blob/ma...
https://github.com/rdomanski/Exploits...

The full advisory detailing the vulnerabilities can be found here: https://www.flashback.sh/blog/weekend...

CVE-2021-36224: Hard-coded User Credentials
CVE-2021-36225: Firmware Upgrade Can be Initiated by Low Privilege User
CVE-2021-36226: No Cryptographic Verification of Firmware Upgrades

Did you enjoy this video? Then follow us on Twitter, and subscribe to our channel for more awesome hacking videos.

~ Flashback Team
https://flashback.sh
  / flashbackpwn