h00die-gr3y's assessment of CVE-2022-24990

Description

TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending “User-Agent: TNAS” to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

Add Assessment

cbeek-r7 (156)

July 26, 2024 7:31pm UTC (4 hours ago)

Ratings

Observed in State-sponsored attacks

Technical Analysis

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

h00die-gr3y (111)

June 10, 2023 8:21am UTC (1 year ago)•

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Unauthenticated Vulnerable in default configuration

Technical Analysis

This is the third exploit a.k.a. TerrorMaster 3 targeting TerraMaster NAS devices running TerraMaster Operating System (TOS) 4.2.29 or lower.

Octagon Networks published in March 2022 an analysis CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation explaining a chain of vulnerabilities that makes all TerraMaster NAS servers running TOS version 4.2.29 and lower vulnerable for an unauthenticated RCE.

It basically combines CVE-2022-24990: Leaking sensitive information and CVE-2022-24989: Authenticated remote code execution to achieve an unauthenticated RCE by exploiting vulnerable endpoint api.php?mobile/webNasIPS leaking sensitive information such as admin password hash and mac address to achieve unauthenticated access and use the vulnerable endpointapi.php?mobile/createRaid with POST parameters raidtype / diskstring to execute remote code as root on TerraMaster NAS devices.

As usual, you can find the third module here in my local repository or as PR 18086 submitted at the Metasploit Github development.

With release of TOS 5.x, all of these vulnerabilities are now mitigated, but I would not be surprised that in the near future, some new exploits will come to surface looking back at the ugly history of TerraMaster flaws in the past.

Mitigation

Please update your TOS version up to the latest supported TOS 4.2.x version or TOS 5.x version to be protected against all known vulnerabilities and do NOT to expose your TerraMaster NAS devices directly to the Internet.

References

CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation
POC 0xf4n9x
CVE-2022-24990
CVE-2022-24989
TerrorMaster 3 – h00die-gr3y Metasploit local repository
TerrorMaster 3 – Metasploit PR 18086
TerrorMaster 1
TerrorMaster 2

Credits

Octagon Networks
0xf4n9x

See More &1 replySee Less

Martingoodnews (0) June 29, 2023 12:11pm UTC (1 year ago)

This is a quality and nice blog post that you have composed here. Are you in search of the right blog on how to apply for Nonprofit Grants, and the article that best explains and gives more guides on how you can go through it. Then you are in the right place for that. All you need to do is to visit my blog for contents related to this topic.
https://www.makeoverarena.com/how-to-apply-for-nonprofit-grants

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

terra-master

Products

terramaster operating system

Metasploit Modules

exploit/linux/http/terramaster_unauth_rce_cve_2022_24990 (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated sources as

Government or Industry Alert (https://us-cert.cisa.gov/ncas/alerts/aa23-040a)
Threat Feed (https://cybersecurityworks.com/blog/cyber-risk/csws-threat-intelligence-february-6-2022-february-10-2022.html)

Reported: February 09, 2023 6:27pm UTC (1 year ago) • Edited 1 year ago

mkienow-r7 indicated sources as

Vendor Advisory (https://forum.terra-master.com/en/viewtopic.php?t=3030)
Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: February 10, 2023 6:36pm UTC (1 year ago) • Edited 1 year ago

h00die-gr3y indicated source as News Article or Blog (https://thehackernews.com/2022/03/critical-bugs-in-terramaster-tos-could.html)

Reported: June 10, 2023 8:21am UTC (1 year ago) • Edited 1 year ago

References

Canonical

CVE-2022-24990 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24990)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2022-24990 (https://github.com/lishang520/CVE-2022-24990) (Added by AKB Worker)

CVE-2022-24990-TerraMaster-TOS--PHP- (https://github.com/Jaky5155/CVE-2022-24990-TerraMaster-TOS--PHP-) (Added by AKB Worker)

Miscellaneous

https://forum.terra-master.com/en/viewforum.php?f=28

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732

https://github.com/0xf4n9x/CVE-2022-24990

https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/

http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html

Rapid7

Very High

CVE-2022-24990

Very High

Very High

None

None

Network

CVE-2022-24990

Description