TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
| Link | Tags |
|---|---|
| https://forum.terra-master.com/en/viewforum.php?f=28 | release notes |
| https://github.com/0xf4n9x/CVE-2022-24990 | exploit |
| https://packetstormsecurity.com/files/172904 | third party advisory vdb entry exploit |
| https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990 | third party advisory |
| https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation | exploit |