CVE-2017-17560
published 2017-12-12CVE-2017-17560: An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php…
PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.40%
99.4th percentile
An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php, provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| westerndigital | my_cloud_pr4100_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated HTTP POST requests to /web/jquery/uploader/multi_uploadify.php with a multipart/form-data body containing a PHP file upload (Filedata[] field) and a 'folder' GET parameter pointing to a web-accessible path such as /var/www. ↗
- →A 302 redirect response from /web/jquery/uploader/multi_uploadify.php with a Location header matching '?status=1' indicates a successful (vulnerable) file upload; monitor for this response pattern. ↗
- →Monitor for creation of dot-prefixed .php files (e.g., .<random>.php) in /var/www on Western Digital MyCloud devices, which is the pattern used by the exploit to drop a PHP shell. ↗
- →A subsequent GET request to the uploaded PHP filename at the web root (e.g., GET /.<random>.php) immediately after a POST to multi_uploadify.php indicates payload execution; correlate these two requests in HTTP logs. ↗
- →Any unauthenticated access (no session cookie/token) to /web/jquery/uploader/multi_uploadify.php should be treated as suspicious; the endpoint requires no authentication. ↗
- ·The exploit targets Western Digital MyCloud PR4100 firmware version 2.30.172 specifically; other firmware versions may or may not be vulnerable. ↗
- ·The Metasploit module uses ARCH_PHP and platform 'php', meaning the uploaded payload is a PHP script executed server-side as root — detection should focus on PHP file creation and execution, not binary payloads. ↗
- ·The module registers the uploaded PHP file for cleanup after execution, so the malicious file may be short-lived on disk; real-time file integrity monitoring of /var/www is recommended rather than relying on post-incident forensics. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gchv-qvcf-v9x3: An issue was discovered on Western Digital MyCloud PR4100 2
ghsa_unreviewed·2022-05-14
CVE-2017-17560 [CRITICAL] CWE-287 GHSA-gchv-qvcf-v9x3: An issue was discovered on Western Digital MyCloud PR4100 2
An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php, provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.
VulnCheck
Western Digital my_cloud_pr4100_firmware Improper Authentication
vulncheck·2017·CVSS 9.8
CVE-2017-17560 [CRITICAL] Western Digital my_cloud_pr4100_firmware Improper Authentication
Western Digital my_cloud_pr4100_firmware Improper Authentication
An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php, provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.
Affected: Western Digital my_cloud_pr4100_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?da
No detection rules found.
Exploit-DB
Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)
exploitdb·2017-12-18
CVE-2017-17560 Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)
Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'HEAD', :uri => '/web/', :pattern => [/Apache/] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'Western Digital MyCloud multi_uploadify File Upload Vulnerability',
'Description' => %q{
This module exploits a file upload vulnerability found in Western Digital's MyCloud
NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php
PHP script provides multipart upload functionality that is accessible without authentication
and can be used to place a fi
Metasploit
Western Digital MyCloud multi_uploadify File Upload Vulnerability
metasploit
Western Digital MyCloud multi_uploadify File Upload Vulnerability
Western Digital MyCloud multi_uploadify File Upload Vulnerability
This module exploits a file upload vulnerability found in Western Digital's MyCloud NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php PHP script provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.
No writeups or analysis indexed.
https://download.exploitee.rs/file/generic/Exploiteers-DEFCON25.pdfhttps://github.com/rapid7/metasploit-framework/pull/9248https://www.exploit-db.com/exploits/43356/https://download.exploitee.rs/file/generic/Exploiteers-DEFCON25.pdfhttps://github.com/rapid7/metasploit-framework/pull/9248https://www.exploit-db.com/exploits/43356/
2017-12-12
Published
Exploited in the wild