CVE-2021–3310 Western Digital MyCloud PR4100 Link Resolution Information Disclosure Vulnerability

Default Share permissions
SMB.conf settings
AFP Configuration
Symlinks enabled
Access to the overly permissive shadow file readable by “nobody”
insecure shadow file permissions
proper shadow file permissions
php default configuration / save path
“secured” session file
Sending our request with the leaked cookie
csrf_token_check with one fatal flaw
exploit attempt with leaked session token and CSRF bypass
The fruits of our labor, a root shell!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chris Hernandez

Chris Hernandez

26 Followers

Red Teamer — Security Researcher — Breaking things is fun, except when its not