TerraMaster NAS devices are vulnerable to a remote command execution vulnerability that could allow an unauthenticated attacker to execute commands as root. Tracked as CVE-2022-24990, the vulnerability is exploited via PHP Object Instantiation.
CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog, requesting users to patch it soon.
NAS (network-attached storage) is a storage device linked to a network that enables authorized network users and clients to store and retrieve data from a central location. It offers all the advantages of a public cloud on-site; it is quicker, less expensive, and provides total control.
The remote code execution vulnerability exists due to improper input validation in the webNasIPS component in the api.php script. An unauthenticated, remote attacker can pass specially crafted data to the application and execute arbitrary commands on the target system.
Security researchers at Octagon Networks combined two vulnerabilities (CVE-2022-24989 and CVE-2022-24990) to gain unauthenticated remote command execution as root on vulnerable TerraMaster NAS devices.
PHP Script Analysis
The vulnerable PHP script /usr/www/module/api.php parses the URI components using the router function. If the request is http://target/module/api.php?XXXX/YYYY, the router function parses the get parameters and assigns them so that $class is XXXX and the $function is YYYY.
The function is then examined to see if it is in an array of NO_LOGIN_CHECK, and if it isn’t, REQUEST MODE is set to 1. After this, it instantiates the class stated by the $class and calls the function indicated by the $function.
The PHP script /usr/www/include/class/mobile.class.php has two arrays of the method name, $notCheck, and $notHeader.
The script makes three checks in its constructor:
- The first check ensures that the method name invoked is not in the $notHeader array. It tests whether the user-agent HTTP header is ‘TNAS’ and the AUTHORIZATION header equals $this->REQUESTCODE.
- It checks to see if the user is logged in and if the REQUEST MODE is specified.
- It checks whether the method name is in $notCheck.
CVE-2022-24990: Information Leak
The seven functions “webNasIPS,” “getDiskList,” “createRaid,” “getInstallStat,” “getIsConfigAdmin,” “setAdminConfig,” and “isConnected” are in the NO_LOGIN_CHECK array in api.php. These functions will set REQUEST_MODE to 0 to pass one of the checks in mobile.class.php. Upon further analysis, it is found that webNasIPS is the only function that is present in both $notCheck and $notHeader arrays of mobile.class.php‘s constructor, allowing it to pass the two remaining checks successfully.
The function webNasIPS returns the following data:
- TOS firmware version
- IP and mac address of the default gateway interface
- Running services with their binding address and ports information
- A variable $pwd with the value of $this->REQUESTCODE (set in application.class.php).
The _getpassword function essentially informs that the REQUESTCODE is the admin password hash. This makes the information leak a very critical one.
CVE-2022-24989: OS Command Injection
Since the function webNasIPS gives the REQUESTCODE without authentication, we can call createRaid (one of the seven functions), which is present in the arrays NOT_LOGIN_CHECK and $notCheck, but not in the array $notHeader.
createRaid function takes two POST parameters by raidtype and diskstring and calls $vol->volume_make_from_disks with the value of raidtype as the first parameter.
The function volume_make_from_disks takes the first parameter and inserts it into a string to call another function $this->fun->_backexec. _backexec.
The function _backexec passes the parameters and receives to popen without sanitization. This makes the OS command injection possible.
TerraMaster NAS devices running TOS version 4.2.29 and prior are affected by this vulnerability.
Customers are recommended to upgrade to version 4.2.31 or later to patch the vulnerability. For more information about the mitigation, please refer to TerraMaster Official Forum.
Qualys customers can scan their devices with QID 730726 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.