SSD Advisory – TerraMaster TOS Unauthenticated Remote Command Execution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Summary
The following advisory describes a unauthenticated remote command execution found in TerraMaster TOS 3.0.33.

TOS is a “Linux platform-based operating system developed for TerraMaster cloud storage NAS server. TOS 3 is the third generation operating system newly launched.”

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
The vendor stated that version 3.1.03 of TerraMaster TOS is no longer vulnerable to this vulnerability, the latest version of the software can be obtained from: http://download.terra-master.com/download.php.

Vulnerability details
User controlled input is not sufficiently filtered and unauthenticated user can execute commands as root by sending a POST request to http://IP/include/ajax/GetTest.php with the following parameters:

  • dev=1
  • testtype=;COMMAND-TO-RUN;
  • submit=Send

We can see in the source code that the value of parameter testtype will assign to $line and will execute by shell_exec()

Proof of Concept



*** This is a Security Bloggers Network syndicated blog from SecuriTeam Blogs authored by SSD / Maor Schwartz. Read the original post at: https://blogs.securiteam.com/index.php/archives/3602