Very High
CVE-2020-28188
CVE-2020-28188
Description
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
Add Assessment
Technical Analysis
Noted as exploited in the wild by CheckPoint Research at https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/, who noted an exploit for this vulnerability was being used as part of a botnet building operation.
Looking into their writeup, they note that remote unauthenticated attackers can use this vulnerability to take over the TerraMaster TOS operating system via command injection in the event parameter in the /include/makecvs.php page. Interestingly they don’t specify the user the attacker’s injected command will run as, but they do include a very useful screenshot which shows that a GET request to /include/makecve.php?Event=%60, followed by the command the attacker wishes to execute, followed by another %60, will allow for arbitrary command injection. %60 is `, which suggests that the command being executed may have been enclosed in backticks, and that by escaping these backticks, the attacker is able to execute arbitrary commands.
Users can patch this vulnerability by upgrading to version 4.2.06 of Terramaster TOS on their NAS devices. Given the severity of this bug and evidence of exploitation in the wild, it is strongly encouraged to patch this vulnerability as soon as possible.
Technical Analysis
Please see the Rapid7 analysis. CVE-2020-28188 is being used in the “FreakOut” attack campaign.
CVSS V3 Severity and Metrics
General Information
Metasploit Modules
Exploited in the Wild
References
Miscellaneous
Technical Analysis
Description
On December 12, 2020, IHTeam disclosed an unauthenticated remote command execution (RCE) vulnerability, CVE-2020-28188, in TerraMaster’s TOS (the operating system that runs their Network Attached Storage devices). The vulnerability arises from a lack of input validation in the Event parameter in the include/makecvs.php page, which allows attackers to gain control of the system.
According to a CheckPoint research blog, CVE-2020-28188 is being exploited in the wild by malicious actors to create an IRC botnet. This attack campaign has been dubbed “FreakOut.” A public proof-of-concept (PoC) consisting of a single GET request has been available since December 12, 2020.
Affected products
TerraMaster TOS (versions 4.2.06 and prior)
Rapid7 analysis
CVE-2020-28188 is remotely and trivially exploitable and gives an attacker root privileges on the vulnerable target system. The poorly sanitized Event parameter in the makecvs.php page is used directly in the server command line, and the TOS web service runs with root privileges. Since the web service allows running PHP files, attackers have a readily available vector for uploading a PHP shell.
Guidance
TerraMaster customers who have TerraMaster TOS instances that are internet-facing should strongly consider investigating their environments for signs of compromise and suspicious activity. We also urge all defenders to ensure TerraMaster TOS is not exposed to the internet until the appropriate patches have been applied.
