Share
## https://sploitus.com/exploit?id=8FFF6862-F858-53DB-8EF0-9CF15974E563
* CVE-2022-24990
--------
** Description
- POC for CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation.
- create by antx at 2022-04-12.
--------
** Detail
- The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
- The vulnerability exists due to improper input validation in the webNasIPS component in the api.php script. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system.
- Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
--------
** CVE Severity
- attackComplexity: LOW
- attackVector: NETWORK
- availabilityImpact: HIGH
- confidentialityImpact: HIGH
- integrityImpact: HIGH
- privilegesRequired: NONE
- scope: UNCHANGED
- userInteraction: NONE
- version: 3.1
- baseScore: 10.0
- baseSeverity: CRITICAL
--------
** Affect
- TerraMaster TOS
- < 4.2.30
- All of 4.1.x
--------
** POC
- [[./CVE-2022-24990.py][Poc]]
--------
** Patch
- [[https://www.terra-master.com/jp/tos/][vendor patch]]
- [[https://www.cnvd.org.cn/patchInfo/show/324076][CNPD-2022-324076]]
- [[http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=186051][CNPD-202203-2299]]
--------
** Reference
- Ref-Source
- [[https://github.com/lishang520/CVE-2022-24990][CVE-2022-24990信息泄露+RCE 一条龙]]
- [[https://www.cybersecurity-help.cz/vdb/SB2022031606][Command Injection in TerraMaster TOS]]
- CVE
- [[https://vulners.com/cve/CVE-2022-24990][CVE-2022-24990]]
- CNVD
- [[https://www.cnvd.org.cn/flaw/show/CNVD-2022-17750][CNVD-2022-17750]]
- CNNVD
- [[http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202203-1539][CNNVD-202203-1539]]
- Ref-Poc-Engine
- [[https://github.com/antx-code/pocx][pocx]]