10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.939 High
EPSS
Percentile
99.2%
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.
Recent assessments:
h00die-gr3y at June 06, 2023 6:58am UTC reported:
This the second module in the sequel of TerrorMaster
releases.
TerrorMaster 2
is based on the vulnerability analysis work of n0tme
that was conducted in December 2021 during Christmas time.
N0tme
discovered a few new vulnerabilities on the TerraMaster F2-210 and F4-210 model and chained them together into an unauthenticated RCE.
The full analysis can be found here How to summon RCEs.
In this article, I will only quickly summarize the RCE chain and introduce the Metasploit module.
The Terramaster chained exploit uses session crafting to achieve escalated privileges that allows an attacker to access vulnerable code execution flaws. TOS versions 4.2.15
and below are affected.
CVE-2021-45839 is exploited to obtain the first administratorβs hash set up on the system as well as other information such as MAC address, by performing a POST
request to the /module/api.php?mobile/webNasIPS
vulnerable endpoint.
This information is used to craft an unauthenticated admin session using CVE-2021-45841 where an attacker can self-sign session cookies by knowing the target MAC address and the user password hash.
Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest. This is used to download the /etc/group
info to obtain the list of admin users, used to establish an unauthenticated admin session thru session craftingβ¦
Finally, CVE-2021-45837 is exploited to execute arbitrary commands as root by sending a specifically crafted input to vulnerable endpoint /tos/index.php?app/del
.
I slightly modified the original POC where the vulnerable endpoint /module/api.php?mobile/wapNasIPS
was used to obtain the admin hash. In some cases, it did not provide this info, whilst endpoint /module/api.php?mobile/webNasIPS
has proven to be more reliable.
As usual, you can find the module here in my local repository or as PR 18070 at the Metasploit Github development.
Please update your TOS version
up to the latest supported TOS 4.2.x
version or TOS 5.x
version to be protected against all known vulnerabilities and do NOT to expose your TerraMaster NAS devices directly to the Internet.
How to summon RCEs by n0tme
CVE-2021-45839
CVE-2021-45841
CVE-2021-45837
TerrorMaster 2 β h00die-gr3y Metasploit local repository
TerrorMaster 2 β Metasploit PR 18070
TerrorMaster 1
TerrorMaster 3
N0tme
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.939 High
EPSS
Percentile
99.2%