#!/bin/bash # ------------------------------------------------------------ # Hotfixing of Western Digital MyBook Live and MyBook Live Duo # by Daniel Marschall, ViaThinkSoft # Revision: 2021-06-30 # # Licensed under the terms of Apache 2.0 license # *** USE AT YOUR OWN RISK *** # ------------------------------------------------------------ # How to use: # 1. Download this script to your computer # 2. RECOMMENDED: Disconnect the Internet cable (DSL/Cable/Fiber etc.) from your router, # or lock/disconnect the Internet somehow, so that your network don't have Internet access # 3. Turn on your NAS # 4. Copy the file from your computer to your NAS in any share folder # 5. Enable SSH access (in the http://..../UI/SSH ) # 6. Login to ssh (root/welc0me) e.g. using PuTTy # 7. Type: bash /DataVolume/shares/....path-to-this-file...../mbl_hotfix.sh # 8. If you receive 2x "Patching OK", then you can now enable Internet again TMPFILE="/tmp/cve" RET=0 # ========================================================= # Fix CVE-2018-18472 (Root command execution) # ========================================================= # --- /var/www/Admin/webapp/includes/languageConfiguration.old 2012-04-20 02:14:27.000000000 +0200 # +++ /var/www/Admin/webapp/includes/languageConfiguration.php 2021-06-30 22:51:52.021025787 +0200 # @@ -83,1 +83,2 @@ # + if (!preg_match('/^[a-z]{2}_[A-Z]{2}$/', $changes["language"], $dummy)) return 'BAD_REQUEST'; // Fixed CVE-2018-18472 # exec("sudo bash -c '(echo \"language {$changes["language"]}\">/etc/language.conf)'", $output, $retVal); # @@ -107,1 +108,2 @@ # + if (!preg_match('/^[a-z]{2}_[A-Z]{2}$/', $lang["language"], $dummy)) return 'BAD_REQUEST'; // Fixed CVE-2018-18472 # exec("sudo bash -c '(echo \"language {$lang["language"]}\">/etc/language.conf)'", $output, $retVal); CVE="CVE-2018-18472" CURFILE="/var/www/Admin/webapp/includes/languageConfiguration.php" OLDFILE="/var/www/Admin/webapp/includes/languageConfiguration.old" if [ ! -f "$CURFILE" ]; then echo "$CURFILE not found! Are you running this script on a WD MyBook Live ?" > /dev/stderr RET=1 else if [ ! -f "$OLDFILE" ]; then # Create backup cp -rp "$CURFILE" "$OLDFILE" fi cat "$CURFILE" | grep "Fixed $CVE" > /dev/null if [ $? -eq 0 ]; then echo "[$CVE] $CURFILE => Already patched!" else cat "$CURFILE" | sed 's@exec("sudo bash -c '"'"'(echo \\"language {\$changes@if (!preg_match('"'"'/^[a-z]{2}_[A-Z]{2}$/'"'"', $changes["language"], $dummy)) return '"'"'BAD_REQUEST'"'"'; // Fixed CVE-2018-18472\n\t\texec("sudo bash -c '"'"'(echo \\"language {\$changes@gi' | sed 's@exec("sudo bash -c '"'"'(echo \\"language {\$lang@if (!preg_match('"'"'/^[a-z]{2}_[A-Z]{2}$/'"'"', $lang["language"], $dummy)) return '"'"'BAD_REQUEST'"'"'; // Fixed CVE-2018-18472\n\t\texec("sudo bash -c '"'"'(echo \\"language {\$lang@gi' > "$TMPFILE" if [ $? -eq 0 ]; then php -l "$TMPFILE" > /dev/null if [ $? -ne 0 ]; then echo "[$CVE] $CURFILE => Patching FAILED (PHP syntax broke!)" > /dev/stderr RET=1 else cat "$TMPFILE" > "$CURFILE" cat "$CURFILE" | grep "Fixed $CVE" > /dev/null if [ $? -eq 0 ]; then echo "[$CVE] $CURFILE => Patching OK" else echo "[$CVE] $CURFILE => Patching FAILED (permission issue?)" > /dev/stderr RET=1 fi fi else echo "[$CVE] $CURFILE => Patching FAILED (sed failure?)" > /dev/stderr RET=1 fi rm -f "$TMPFILE" fi fi # ========================================================= # Fix CVE-2021-35941 (Factory reset without authentication) # ========================================================= # --- /var/www/Admin/webapp/includes/component_config.old 2015-05-08 02:52:55.000000000 +0200 (03:23:25.000000000 for Duo) # +++ /var/www/Admin/webapp/includes/component_config.php 2021-06-30 22:24:49.655723934 +0200 # @@ -114 +114 @@ # - 'system_factory_restore' => array('system_configuration/system_factory_restore.php','System_factory_restore'), # + 'system_factory_restore' => array('system_configuration/system_factory_restore.php','System_factory_restore', $ADMIN_AUTH_LAN_ALL), // Fixed CVE-2021-35941 CVE="CVE-2021-35941" CURFILE="/var/www/Admin/webapp/includes/component_config.php" OLDFILE="/var/www/Admin/webapp/includes/component_config.old" if [ ! -f "$CURFILE" ]; then echo "$CURFILE not found! Are you running this script on a WD MyBook Live ?" > /dev/stderr RET=1 else if [ ! -f "$OLDFILE" ]; then # Create backup cp -rp "$CURFILE" "$OLDFILE" fi cat "$CURFILE" | grep "Fixed $CVE" > /dev/null if [ $? -eq 0 ]; then echo "[$CVE] $CURFILE => Already patched!" else cat "$CURFILE" | sed "s@'System_factory_restore'),@'System_factory_restore', \$ADMIN_AUTH_LAN_ALL), // Fixed CVE-2021-35941@g" > "$TMPFILE" if [ $? -eq 0 ]; then php -l "$TMPFILE" > /dev/null if [ $? -ne 0 ]; then echo "[$CVE] $CURFILE => Patching FAILED (PHP syntax broke!)" > /dev/stderr RET=1 else cat "$TMPFILE" > "$CURFILE" cat "$CURFILE" | grep "Fixed $CVE" > /dev/null if [ $? -eq 0 ]; then echo "[$CVE] $CURFILE => Patching OK" else echo "[$CVE] $CURFILE => Patching FAILED (permission issue?)" > /dev/stderr RET=1 fi fi else echo "[$CVE] $CURFILE => Patching FAILED (sed failure?)" > /dev/stderr RET=1 fi rm -f "$TMPFILE" fi fi exit $RET