Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:8CEF2EB7-4C6A-4150-8476-E8832F06341F
HistoryDec 23, 2020 - 12:00 a.m.

CVE-2020-35665

2020-12-2300:00:00
attackerkb.com
12

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.972 High

EPSS

Percentile

99.8%

JSON

An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.

Recent assessments:

h00die-gr3y at June 05, 2023 9:49am UTC reported:

Last two weeks, I spent some time on a TerraMaster F2-221 NAS server that I got from an old friend running TerraMaster Operating System (TOS) 4.x.
Research on the Internet shows that this server is full with vulnerabilities up to TOS 4.2.29. Surprisingly, no Metasploit modules were made to exploit these NAS servers and there are still plenty of vulnerable NAS servers connected to the Internet.

So I took the liberty to write three nice modules that exploits these NAS servers targeting different vulnerabilities.
This article is covering the first of three modules, called TerrorMaster 1 like we do with “good” movies released in the cinema. You can find the articles on TerrorMaster 2 here and TerrorMaster 3 here.

In December 2020, the IHTeam reported multiple vulnerabilities on TerraMaster NAS devices running TOS version 4.2.06 or lower.
You can read their analysis/advisory here.

TerrorMaster 1 is exploiting a vulnerability described in CVE-2020-35665 or CVE-2020-28188 that allows an unauthenticated attacker to create /upload a webshell via shell metacharacters in the Event parameter using the vulnerable endpoint include/makecvs.php during the CSV creation process.

You can find the module here in my local repository or as PR 18063 at the Metasploit Github development.

Mitigation

Please update your TOS version up to the latest supported TOS 4.2.x version or TOS 5.x version to be protected against all known vulnerabilities.
I strongly advice NOT to expose your TerraMaster NAS devices directly to the Internet, because you could end-up in a situation depicted below where your server has become a victim of ransomware.
Ransomeware.

References

IHTeam advisory
TerrorMaster 1 – h00die-gr3y Metasploit local repository
TerrorMaster 1 – Metasploit PR 18063
TerrorMaster 2
TerrorMaster 3

Credits

IHTeam

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5

Related

attackerkb 4
packetstorm 3
zdt 2
nuclei 2
prion 5
cve 5
metasploit 3
checkpoint_advisories 1
githubexploit 6
cnvd 1
cisa_kev 1
thn 4
openvas 2
nessus 1
rapid7blog 1
impervablog 1
threatpost 2
ics 1
attackerkb
attackerkb
CVE-2022-24990
2023-02-07 00:00:00
CVE-2021-45837
2022-04-25 00:00:00
CVE-2020-28188
2020-12-24 00:00:00
packetstorm
packetstorm
TerraMaster TOS 4.2.06 Remote Code Execution
2023-06-12 00:00:00
TerraMaster TOS 4.2.29 Remote Code Execution
2023-06-13 00:00:00
TerraMaster TOS 4.2.15 Remote Code Execution
2023-06-12 00:00:00
zdt
zdt
TerraMaster TOS 4.2.06 Remote Code Execution Exploit
2023-06-12 00:00:00
TerraMaster TOS 4.2.15 Remote Code Execution Exploit
2023-06-12 00:00:00
nuclei
nuclei
TerraMaster TOS - Unauthenticated Remote Command Execution
2021-07-19 06:13:57
TerraMaster TOS < 4.2.30 Server Information Disclosure
2022-03-08 01:05:30
prion
prion
Command injection
2020-12-23 20:15:00
Design/Logic Flaw
2022-04-25 11:15:00
Command injection
2020-12-24 15:15:00
cve
cve
CVE-2021-45837
2022-04-25 11:15:00
CVE-2022-24990
2023-02-07 18:15:09
CVE-2020-28188
2020-12-24 15:15:00
metasploit
metasploit
TerraMaster TOS 4.2.06 or lower - Unauthenticated Remote Code Execution
2023-06-05 11:19:42
TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
2023-06-10 09:42:32
TerraMaster TOS 4.2.15 or lower - RCE chain from unauthenticated to root via session crafting.
2023-06-06 07:07:36
checkpoint_advisories
checkpoint_advisories
TerraMaster TOS Command Injection (CVE-2020-28188)
2021-01-17 00:00:00
githubexploit
githubexploit
Exploit for Missing Authentication for Critical Function in Terra-Master Terramaster Operating System
2022-04-12 02:45:56
Exploit for Missing Authentication for Critical Function in Terra-Master Terramaster Operating System
2022-03-10 03:16:04
Exploit for Missing Authentication for Critical Function in Terra-Master Terramaster Operating System
2022-03-20 05:21:08
cnvd
cnvd
TerraMaster TOS Identity Bypass Vulnerability
2022-03-09 00:00:00
cisa_kev
cisa_kev
TerraMaster OS Remote Command Execution Vulnerability
2023-02-10 00:00:00
thn
thn
Critical Bugs in TerraMaster TOS Could Open NAS Devices to Remote Hacking
2022-03-07 16:42:00
FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities
2021-01-19 10:59:00
CISA Warns of Active Attacks Exploiting Fortra MFT, TerraMaster NAS, and Intel Driver Flaws
2023-02-11 05:45:00
openvas
openvas
Terramaster TOS < 4.2.07 Multiple Vulnerabilities - Active Check
2021-01-12 00:00:00
Terramaster TOS < 4.2.31 Multiple Information Disclosure Vulnerabilities - Active Check
2023-02-22 00:00:00
nessus
nessus
TerraMaster TOS < 4.2.30 Command Injection (CVE-2022-24990)
2023-06-02 00:00:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2023-06-16 20:40:51
impervablog
impervablog
Python Cryptominer Botnet Quickly Adopts Latest Vulnerabilities
2021-01-14 17:04:59
threatpost
threatpost
Linux Devices Under Attack by New FreakOut Malware
2021-01-19 15:51:30
FreakOut Botnet Turns DVRs Into Monero Cryptominers
2021-10-13 20:17:09
ics
ics
#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
2023-02-09 12:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.972 High

EPSS

Percentile

99.8%

JSON
Related for AKB:8CEF2EB7-4C6A-4150-8476-E8832F06341F
attackerkb4packetstorm3zdt2nuclei2prion5cve5metasploit3checkpoint_advisories1githubexploit6cnvd1cisa_kev1thn4openvas2nessus1rapid7blog1impervablog1threatpost2ics1