CVE-2021-45837

It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.

Recent assessments:

h00die-gr3y at June 06, 2023 6:58am UTC reported:

This the second module in the sequel of TerrorMaster releases.

TerrorMaster 2 is based on the vulnerability analysis work of n0tme that was conducted in December 2021 during Christmas time.
N0tme discovered a few new vulnerabilities on the TerraMaster F2-210 and F4-210 model and chained them together into an unauthenticated RCE.
The full analysis can be found here How to summon RCEs.

In this article, I will only quickly summarize the RCE chain and introduce the Metasploit module.

The Terramaster chained exploit uses session crafting to achieve escalated privileges that allows an attacker to access vulnerable code execution flaws. TOS versions 4.2.15 and below are affected.
CVE-2021-45839 is exploited to obtain the first administrator’s hash set up on the system as well as other information such as MAC address, by performing a POST request to the /module/api.php?mobile/webNasIPS vulnerable endpoint.
This information is used to craft an unauthenticated admin session using CVE-2021-45841 where an attacker can self-sign session cookies by knowing the target MAC address and the user password hash.
Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest. This is used to download the /etc/group info to obtain the list of admin users, used to establish an unauthenticated admin session thru session crafting…

Finally, CVE-2021-45837 is exploited to execute arbitrary commands as root by sending a specifically crafted input to vulnerable endpoint /tos/index.php?app/del.

I slightly modified the original POC where the vulnerable endpoint /module/api.php?mobile/wapNasIPS was used to obtain the admin hash. In some cases, it did not provide this info, whilst endpoint /module/api.php?mobile/webNasIPS has proven to be more reliable.

As usual, you can find the module here in my local repository or as PR 18070 at the Metasploit Github development.

Mitigation

Please update your TOS version up to the latest supported TOS 4.2.x version or TOS 5.x version to be protected against all known vulnerabilities and do NOT to expose your TerraMaster NAS devices directly to the Internet.

References

How to summon RCEs by n0tme
CVE-2021-45839
CVE-2021-45841
CVE-2021-45837
TerrorMaster 2 – h00die-gr3y Metasploit local repository
TerrorMaster 2 – Metasploit PR 18070
TerrorMaster 1
TerrorMaster 3

Credits

N0tme

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5