Trustwave SpiderLabs Security Advisory TWSL2018-005:
Vulnerability in WD My Cloud personal cloud storage

Published: 04/25/2018
Version: 1.0

Vendor:  Western Digital (www.wdc.com)
Product: My Cloud
Version affected: 2.30.181

Product description:
Reliable, centralized personal storage with automatic backup that plugs into 
your own home network. Share whatever you want, anywhere you have an Internet 
connection.

Finding 1: Storage content available via the UPnP ContentDirectory method
*****Credit: Martin Rakhmanov

It is possible to access files on the storage even when Public shares are
disabled.  Specifically, anyone can issue HTTP requests to TMSContentDirectory/Control
on port 9000 passing various actions. The Browse action returns XML with URLs to 
individual files on the device.

Proof-of-concept:

Python script to issue the Browse request is available at: 
https://github.com/SpiderLabs/advisories-poc/blob/master/TWSL2018-005/send-browse.py

Example output:

...
  <item id="0$2$20I258" parentID="0$2$20" restricted="1">
    <dc:title>L1010268</dc:title>
    <dc:date>2017-12-03</dc:date>
    <upnp:album>Leica</upnp:album>
    <pv:extension>JPG</pv:extension>
    <pv:modificationTime>1512289144</pv:modificationTime>
    <pv:addedTime>1516554431</pv:addedTime>
    <pv:lastUpdated>1512289144</pv:lastUpdated>
    <pv:orientation>1</pv:orientation>
    <pv:album_crosslink>0$2$24$55</pv:album_crosslink>
    <pv:date_crosslink>0$2$23$52$54</pv:date_crosslink>
    <pv:bookmark>uuid:55076f6e-6b79-4d65-64cf-0014ee1c561c,-L3NoYXJlcy9QdWJsaWMvU2hhcmVkIFBpY3R1cmVzL0xlaWNhL0wxMDEwMjY4LkpQRw==</pv:bookmark>
    <res size="4768768" resolution="4112x3088" protocolInfo="http-get:*:image/jpeg:*">http://10.0.1.14:9000/disk/NON-DLNA-OP01-FLAGS00d00000/O0$2$20I258.JPG</res>
    <res size="6919" resolution="160x120" protocolInfo="http-get:*:image/jpeg:DLNA.ORG_PN=JPEG_TN;DLNA.ORG_FLAGS=00d00000000000000000000000000000">http://10.0.1.14:9000/disk/DLNA-PNJPEG_TN-FLAGS00d00000/O0$2$20I258.JPG?scale=160x120</res>
    <res resolution="639x480" protocolInfo="http-get:*:image/jpeg:DLNA.ORG_PN=JPEG_SM;DLNA.ORG_CI=1;DLNA.ORG_FLAGS=00d00000000000000000000000000000">http://10.0.1.14:9000/disk/DLNA-PNJPEG_SM-CI1-FLAGS00d00000/O0$2$20I258.JPG?scale=639x480</res>
    <res resolution="1023x768" protocolInfo="http-get:*:image/jpeg:DLNA.ORG_PN=JPEG_MED;DLNA.ORG_CI=1;DLNA.ORG_FLAGS=00d00000000000000000000000000000">http://10.0.1.14:9000/disk/DLNA-PNJPEG_MED-CI1-FLAGS00d00000/O0$2$20I258.JPG?scale=1023x768</res>
    <res resolution="1438x1080" protocolInfo="http-get:*:image/jpeg:DLNA.ORG_PN=JPEG_LRG;DLNA.ORG_CI=1;DLNA.ORG_FLAGS=00d00000000000000000000000000000">http://10.0.1.14:9000/disk/DLNA-PNJPEG_LRG-CI1-FLAGS00d00000/O0$2$20I258.JPG?scale=1438x1080</res>
    <upnp:class>object.item.imageItem.photo</upnp:class>
  </item>
...

pv:bookmark element's content is base64 encoded actual path and file name. HTTP links shown let anyone download actual files from the device.

Remediation Steps:
There is no official fix to mitigate this vulnerability. Disable DLNA when there
is sensitive data stored on MyCloud devices.


Revision History:
01/26/2018 - Vulnerabilities disclosed to the WDC PSIRT team
03/28/2018 - Vendor confirms no fix will we released
04/25/2018 -  Advisory published


References
1. https://support.wdc.com/knowledgebase/answer.aspx?ID=20787
2. https://support.wdc.com/knowledgebase/answer.aspx?ID=20788
 

About Trustwave:
Trustwave helps businesses fight cybercrime, protect data and reduce security
risk. With cloud and managed security services, integrated technologies and a
team of security experts, ethical hackers and researchers, Trustwave enables
businesses to transform the way they manage their information security and
compliance programs. More than three million businesses are enrolled in the
Trustwave TrustKeeper® cloud platform, through which Trustwave delivers
automated, efficient and cost-effective threat, vulnerability and compliance
management. Trustwave is headquartered in Chicago, with customers in 96
countries. For more information about Trustwave, visit https://www.trustwave.com.

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.