Share
## https://sploitus.com/exploit?id=8FFF6862-F858-53DB-8EF0-9CF15974E563
* CVE-2022-24990
--------
** Description
    - POC for CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation.
    - create by antx at 2022-04-12.
--------
** Detail
    - The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
    - The vulnerability exists due to improper input validation in the webNasIPS component in the api.php script. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system.
    - Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
--------
** CVE Severity
    - attackComplexity: LOW
    - attackVector: NETWORK
    - availabilityImpact: HIGH
    - confidentialityImpact: HIGH
    - integrityImpact: HIGH
    - privilegesRequired: NONE
    - scope: UNCHANGED
    - userInteraction: NONE
    - version: 3.1
    - baseScore: 10.0
    - baseSeverity: CRITICAL
--------
** Affect
    - TerraMaster TOS
        - < 4.2.30
        - All of 4.1.x
--------
** POC
    - [[./CVE-2022-24990.py][Poc]]
--------
** Patch
    - [[https://www.terra-master.com/jp/tos/][vendor patch]]
    - [[https://www.cnvd.org.cn/patchInfo/show/324076][CNPD-2022-324076]]
    - [[http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=186051][CNPD-202203-2299]]
--------
** Reference
    - Ref-Source
        - [[https://github.com/lishang520/CVE-2022-24990][CVE-2022-24990信息泄露+RCE 一条龙]]
        - [[https://www.cybersecurity-help.cz/vdb/SB2022031606][Command Injection in TerraMaster TOS]]
    - CVE
        - [[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24990][CVE-2022-24990]]
    - CNVD
        - [[https://www.cnvd.org.cn/flaw/show/CNVD-2022-17750][CNVD-2022-17750]]
    - CNNVD
        - [[http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202203-1539][CNNVD-202203-1539]]
    - Ref-Poc-Engine
        - [[https://github.com/antx-code/pocx][pocx]]