WD TV Media Player

Security researchers from SEC Consult have found eight vulnerabilities in the firmware of Western Digital TV Media Player that allow hackers a multitude of ways to hack and take over the device.

WD TV Media Player is a device that you can connect to a smart TV and play content stored on a local network storage (NAS) device, USB thumb drive, a local PC, or stream content off the Internet.

Researchers find all sorts of security flaws

In an advisory released today, SEC Consult experts say they've found several high-severity flaws in the firmware of such devices.

These vulnerabilities range from SQL injections to CSRF bugs and allow attackers to upload rogue (backdoored) files on the device's built-in web server, execute code against the device's firmware, compromise its local SQLite database, and decrypt and steal a user data.

"By combining the vulnerabilities documented in this advisory an attacker can fully compromise a network which has the WDTV Media Player appliance installed by using it as a jump-host to aid in further attacks," SEC Consults write in their report.

No firmware available

Researchers say they've contacted Western Digital back in January, but after requesting a 90-day deadline extension, the company failed to issue a firmware update.

This might have something to do with the fact WD TV Media Player devices are semi-retired, not being available in the WD store anymore. Nonetheless, WD has not officially announced the product as retired.

Researchers only tested WD TV Media Player firmware version 1.03.07, but some of the below issues might affect older versions as well. SEC Consult recommends that owners take these devices offline until a firmware version becomes available.

Vulnerabilities

1. Unauthenticated Arbitrary File Upload
A malicious file can be uploaded into the webserver with no authentication required. This is a critical vulnerability as it will lead to remote code execution.

2. Local File Inclusion (LFI)
With the existence of arbitrary file upload vulnerability, the impact of local file inclusion can be leveraged to perform remote code execution. An unauthenticated  user in the same network is able to execute any uploaded malicious file with the help of this vulnerability.

3. Cross Site Request Forgery (CSRF)
All executable files in the webserver are vulnerable to CSRF which allow an attacker to forge any type of request to any file.

4. Private Key Embedded In Firmware
Shipping a private key in firmware will result to all users having the same private key. This is an insecure practice as anyone who owns the private key may use the same key to decrypt other users' data.

5. SQL Injection on SQLite Database
In the worst case, an attacker can exploit this vulnerability to create a backdoor in the webserver.

6. Webserver Running with Root Privileges
The main binary (which contains the webserver and PHP) runs with root privileges.

7. Login not protected against brute-force attacks
Despite only a password is needed to login (without username), this
vulnerability is considered high as there is no protection against brute force attacks.

8. Full Path Disclosure
Due to improper input validation and weak webserver configuration, it is possible for an attacker to retrieve the full path of the web directory.

Image credits: WD, Bleeping Computer