Vulnerability Details : CVE-2022-24989
Public exploit exists!
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
Vulnerability category: Execute code
Products affected by CVE-2022-24989
We don't have affected product information for this CVE yet
Exploit prediction scoring system (EPSS) score for CVE-2022-24989
1.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2022-24989
-
TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
Disclosure Date: 2022-03-07First seen: 2023-09-11exploit/linux/http/terramaster_unauth_rce_cve_2022_24990This module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.29 and lower by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution".
References for CVE-2022-24989
-
https://github.com/0xf4n9x/CVE-2022-24990
GitHub - 0xf4n9x/CVE-2022-24990: CVE-2022-24990 TerraMaster TOS unauthenticated RCE via PHP Object Instantiation
-
https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation
CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation – Blog | Octagon Networks
-
https://forum.terra-master.com/en/viewforum.php?f=28
TOS Update Notice - TerraMaster Official Forum
-
https://packetstormsecurity.com/files/172904
TerraMaster TOS 4.2.29 Remote Code Execution ≈ Packet Storm
-
https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990
CVE-2022-24990 | AttackerKB
Jump to