Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

This document describes a chain of vulnerabilities that were found by Pedro Ribeiro and Radek Domanski and intended to be presented at Zero Day Initiative Pwn2Own Tokyo 2020 competition in November 2020.

The vulnerabilities described in this document are present in the network attached storage (NAS) device Western Digital My Cloud Pro Series PR4100 (PR4100), on firmware versions up to and including 2.40.157.

The default configuration is exploitable by an unauthenticated attacker, who can achieve remote code execution as root on the PR4100. The exploit creates a persistent backdoor, which gives the attacker full control of the device even after a reboot. Weekend destroyer - RCE in Western Digital PR4100 NAS