WDTV Live Streaming Media Player release 2.03.20 (and likely earlier) contains a weakness that allows an unauthenticated attacker to change the web management password to a value of their choice.
Nothing earth-shattering here, just a failure to validate that a POST request contains the correct validated headers that an authenticated user should have before processing the password reset. It would also have helped if they had forced the request to also contain the current valid password (kind of best practice for resetting credentials for already authenticated users), but while the web interface asked for this value, it wasn’t actually required to complete the reset function.
In fact, it became clear pretty quickly that pretty much all of the functions present on the web management interface aren’t properly checked for the presence of a properly authenticated session. This also allows an attacker to mess around with the virtual remote, controlling the device via a network connection instead of via the IR handset.
No special code needed for the password reset, a simple CURL /WGET request does the trick:
curl http://<ip_address>/DB/modfiy_pw.php -d “password=pwn3d”
The following video quickly outlines how this issue was found, tested and validated:
I notified Western Digital about this issue back on March 9th 2017 – I’m guessing that because this product is EOL, it won’t be fixed. While at BSides Canberra 2017, the CodeCadets came across another vulnerability that allowed them to take control of the WDTV Live’s web management interface during the conference CTF competition, and George Dan from the team posted their writeup here. Great work team!