21/02/2021

Exploiting (and Patching) a Zero Day RCE Vulnerability in a Western Digital NAS

In this video we show you how we found, exploited and patched a chain of zero day vulnerabilities in a Western Digital (WD) Network Attached Storage (NAS) device. This chain allows an unauthenticated attacker to execute code as root and install a permanent backdoor on the NAS.

The vulnerabilities affect most of the WD NAS line-up and their OS3 firmware versions and are unpatched as of 2021/02/25. The new OS5 firmware is not vulnerable. OS3 is in a limbo, it's not clear whether it is supported or not by WD, but WD's official response to a security advisory in November 2020 seems to indicate that it's out of support.

Please keep safe - do not expose your NAS to the Internet. If your device supports OS5, upgrade to that, otherwise you can use our patch to fix it, which needs to be done at every reboot.

Our patch can be found at:

https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer_patch.sh

https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2020/weekend_destroyer_patch.sh

Previous

Extracting Firmware from Embedded Devices (SPI NOR Flash) ⚡

Next

Hacker's Guide to UART Root Shells