Security Disclosure: WDTV Media Player Login Bypass

This security vulnerability was found while completing the Mr Robot Returns: Act V challenge (350 points) from BSides Canberra 2017.

Aim

The aim of Mr Robot Returns: Act V was to find and use a 0-day to exploit an IoT device. The device was a WDTV Media Player, with the aim being to play a certain video.

Product Overview

The WDTV Media Player is a product by Western Digital. The product has reached end-of-life, which is probably the reason why the vulnerability was not patched. This vulnerability was found on version 1.03.07.

Web Panel

A login form is presented to login to the device. The form has a number of options, including a “Remember me” option. This sets a cookie keepSign to be 1.

Exploitation

When accessing the main web panel (Main.php) the following check is performed:

The nature of this check means that if the keepSign cookie is set to 1 then it completely skips all other checks regarding password validation.

This vulnerability requires no external tools other than a web browser. Just enter false details, making sure “Remember me” is ticked so the cookie is set. Once the page states that the login is incorrect, go to Main.php in the root directory, and the administrator interface will be shown.

Timeline:

  • 18 March 2017: Initial bug discovery.
  • 21 March 2017: Exploited replayed in lab environment for confirmation.
  • 25 March 2017: Confidential discussion with Silas Barnes (sw1tch) who helped with providing a write-up of the disclosure and contact details for the vendor. He was also the person who set this challenge in the CTF.
  • 6 April 2017: Wrote disclosure in seclists format.
  • 10 April 2017: Contacted vendor via email, requested secure communications channel for disclosure.
  • 10 April 2017: Vendor responded, provided ProtonMail address and requested disclosure of findings. Established 90 day responsible disclosure period ending on 10 July 2017.
  • 10 April 2017: Contacted vendor via ProtonMail and disclosed all details of issues found.
  • 11 April 2017: Vendor responded, confirmed receipt of information.
  • 1 July 2017: Contacted vendor via email, requested status update. No response.
  • 10 July 2017: 90 day responsible disclosure period ended.
  • 10 August 2017: Public disclosure.

A very big thank you to sw1tch and TheColonial for their help and guidance with responsible disclosure for this vulnerability.