Skip to content

Investigations reveal hackers exploited 0-day to wipe WD devices

  • by
  • 4 min read

Following the aftermath of WD’s My Book Live devices being wiped out remotely by hackers, WD has published an update clarifying that attackers used a 0-day exploit and not the previously believed 2018 security book. The exploit is now being tracked as CVE-2021-35841

This second exploit allows a remote user to factory reset the device, deleting all its data without needing any authentication to check if the actual user is performing this action.

The company is also offering free-of-cost data recovery services and trade-in offers for My Book Live customers allowing them to upgrade to My Cloud devices starting July. 

As reported by Ars Technica, the vulnerability was found in a file named system_factory_restore. The file contained a PHP script that allowed users to restore all default configurations and wipe all data. 

In the News: Google Messages to get Auto-Delete OTPs and Categories features in India


Is WD at fault?

Normally such actions would require a user to enter their password, and for a good reason. These devices are accessible over the internet, and the fact that someone can factory reset them without proper authentication is just surprising. 

As it turns out, a WD dev had, in fact, written a code snipped in the system restore script that asks a user to provide their password before they proceed with the reset. However, the piece of code was commented out and hence, inactive. 

The following code snippet was commented out from the original script. Had it not been, the second exploit wouldn’t have existed.

    function get($urlPath, $queryParams=null, $ouputFormat='xml'){
//        if(!authenticateAsOwner($queryParams))
//        {
//            header("HTTP/1.0 401 Unauthorized");
//            return;
//        }

WD’s reason for this is that the deactivation was done as the company reconsidered how the authentication was to be done on the device itself. According to them, the vulnerability was introduced when the refactor failed and to add the correct authentication type. 

To exploit this vulnerability, an attacker would have to know the format of the XML request that triggers the reset and, in turn, this script. HD Moore, a security expert and CEO of Rumble, told Ars Technica that “The vendor commenting out the authentication in the system restore endpoint really doesn’t make things look good for them.”

Following the mass deletion from My Bok devices, WD posted an advisory suggested that the attacks resulted from an exploit called  CVE-2018-18472. The vulnerability was discovered in late 2018 by researchers Paulos Yibelo and Daniel Eshetu. However, since WD stopped supported My Book Live in 2015, this vulnerability was never fixed.

What’s surprising here is that according to the analysis performed by Ars Technica and Derek Abdine, CTO for security firm Censys, devices that were hit by the mass hack and wiped out were also affected by the unauthorised reset vulnerability. The second exploit was found documented in log files extracted from the hacked devices. 


Why the two attacks then?

The question now is that if the attacker already had root access to the device using one exploit, why would they go back and wipe the entire device using a second vulnerability?

The reason why this happened was that the CVS-2018-18472 was password protected by the attacker. As it turns out, some of the devices affected here were infected with malware called .nttpd,1-ppc-be-t1-z. This turned the affected devices into a botnet called Linux.Ngioweb

Ars’ theory for why the second attack happened is that while one hacker compromised the devices and turned them into a botnet, a rival attacker exploited the second vulnerability and reset the device in an attempt to either take over these devices or sabotage the botnet. 

In the News: Facebook rolls out Live Audio Rooms and Podcasts

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>