CVE-2022-24989: Remote Code Execution in TerraMaster NAS through 4.2.30 – A Deep Dive into Exploit Details, Code Snippets, and Original Sources

TerraMaster NAS is an excellent network-attached storage solution that provides storage, file, and application management services for many users. Unfortunately, a critical security vulnerability (CVE-2022-24989) has been discovered in its firmware version 4.2.30, which could allow remote WAN attackers to execute arbitrary code as root. This vulnerability exists in the API (api.php) and is triggered when the raidtype and diskstring parameters are used without proper input sanitization.

In this long read post, we will explore the details of the CVE-2022-24989 vulnerability, analyze the code snippets responsible for the exploit, and provide original references to help security professionals and developers understand this dangerous security issue in-depth.

Vulnerability Overview

The CVE-2022-24989 security vulnerability allows a remote attacker to target TerraMaster NAS devices and execute arbitrary code with root privileges. This is achieved by sending a malicious PHP object instantiation request through the api.php?mobile/createRaid URI together with the raidtype and diskstring parameters.

It was discovered that the vulnerable code does not properly sanitize user input, allowing shell metacharacters to be inserted into the raidtype parameter. As a result, the attacker can craft a malicious payload that becomes executable when popen is called internally by the API.

The vulnerable code snippet within the TerraMaster NAS firmware can be found in the api.php file

<?php
// ...
function create_raid() {
    $raidType = $_POST['raidtype'];
    $diskString = $_POST['diskstring'];
    // Other variables ...

    // Call to the popen function, which executes the command as root
    $handle = popen("$raidType $diskString", "r");
    // ...
}
?>

As we can see, the code does not perform any input sanitization on the '$raidType' and '$diskString' variables before using them in the popen function. This would allow a remote attacker to craft a malicious payload and insert shell metacharacters within the raidtype parameter.

Exploiting the Vulnerability

To exploit this vulnerability, an attacker would need to craft a specially formatted HTTP POST request targeting the vulnerable URI (api.php?mobile/createRaid) along with the malicious parameters, like so:

POST /api.php?mobile/createRaid HTTP/1.1
Host: vulnerable-nas-device
Content-Type: application/x-www-form-urlencoded

raidtype=;+malicious_command+&diskstring=test

By sending this request, the attacker can trigger the vulnerability and execute arbitrary code with root privileges.

Additionally, the attacker can leverage another security issue (CVE-2022-24990) to obtain the login credentials of the NAS device, further expanding their reach and control over the device.

Original References

- CVE-2022-24989 – Original CVE entry from MITRE
- CVE-2022-24990 – Related CVE entry regarding credentials exploitation
- TerraMaster NAS Disclosure Notice – Disclosure notice released by the TerraMaster team

Mitigating CVE-2022-24989

To mitigate this vulnerability, it is essential to perform proper input validation and sanitization on all user-supplied data. TerraMaster should update their firmware to address this critical security issue and users running TerraMaster NAS devices must follow best practices for securing their devices, like keeping their firmware up-to-date and following strong password policies.

Conclusion

CVE-2022-24989 is a critical security issue that can allow attackers to gain complete control of a TerraMaster NAS device running firmware version 4.2.30. Developers and security professionals need to be aware of this vulnerability and take all necessary precautions to ensure their systems are secure. To stay up-to-date on the latest cybersecurity news and vulnerability disclosures, follow resources like the CVE database, and always be on alert for potential security issues in your applications and devices.

Timeline

Published on: 08/20/2023 18:15:00 UTC
Last modified on: 08/24/2023 20:52:00 UTC