Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2022-24989

Published: 20/08/2023 Updated: 24/08/2023
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Terramaster Operating System

Vulnerability Summary

TerraMaster NAS up to and including 4.2.30 allows remote WAN malicious users to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

terra-master terramaster_operating_system

Exploits

Exploit DB: TerraMaster TOS 4.2.29 Remote Code Execution
This Metasploit module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS versions 4229 and below by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution" Exploiting vulnerable endpoint apiphp?mobile/webNasIPS leaking sensit ...
Exploit DB: TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
This module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4229 and lower by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution" Exploiting vulnerable endpoint `apiphp?mobile/webNasIPS` le ...

Metasploit Modules

TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989

This module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.29 and lower by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution". Exploiting vulnerable endpoint `api.php?mobile/webNasIPS` leaking sensitive information such as admin password hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint `api.php?mobile/createRaid` with POST parameters `raidtype` and `diskstring` to execute remote code as root on TerraMaster NAS devices.

msf > use exploit/linux/http/terramaster_unauth_rce_cve_2022_24990
msf exploit(terramaster_unauth_rce_cve_2022_24990) > show targets
    ...targets...
msf exploit(terramaster_unauth_rce_cve_2022_24990) > set TARGET < target-id >
msf exploit(terramaster_unauth_rce_cve_2022_24990) > show options
    ...show and set options...
msf exploit(terramaster_unauth_rce_cve_2022_24990) > exploit

References

CWE-74https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990https://packetstormsecurity.com/files/172904https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiationhttps://forum.terra-master.com/en/viewforum.php?f=28https://github.com/0xf4n9x/CVE-2022-24990https://nvd.nist.govhttps://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.htmlhttps://www.rapid7.com/db/modules/exploit/linux/http/terramaster_unauth_rce_cve_2022_24990/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322CVE-2006-4304wirelessCVE-2023-23022local file inclusionCVE-2024-27058CVE-2024-33820open redirectCVE-2024-27079
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook