New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TerraMaster unauthicated RCE a.k.a. TerrorMaster 2 [CVE-2021-45837] #18070
TerraMaster unauthicated RCE a.k.a. TerrorMaster 2 [CVE-2021-45837] #18070
Conversation
documentation/modules/exploit/linux/http/terramaster_unauth_rce_cve_2021_45837.md
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/terramaster_unauth_rce_cve_2021_45837.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/terramaster_unauth_rce_cve_2021_45837.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/terramaster_unauth_rce_cve_2021_45837.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the module! Just some stylistic suggestions here. Since we don't have access to a TerraMaster device, could you please send pcaps that show successful exploitation for both this PR and #18063 to our mailing list, msfdev[at]metasploit.com? Thanks!
modules/exploits/linux/http/terramaster_unauth_rce_cve_2021_45837.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/terramaster_unauth_rce_cve_2021_45837.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/terramaster_unauth_rce_cve_2021_45837.rb
Outdated
Show resolved
Hide resolved
Confirmed the pcaps for this one. Will get this landed soon! Thanks! |
Release NotesThis exploits a series of vulnerabilities including session crafting and command injection in TerraMaster NAS versions |
This module provides a Terramaster chained exploit that performs session crafting to achieve escalated privileges that allows an attacker to access vulnerable code execution flaws. TOS versions
4.2.15
and below are affected.CVE-2021-45839 is exploited to obtain the first administrator's hash set up on the system as well as other information such as MAC address, by performing a
POST
request to the/module/api.php?mobile/webNasIPS
endpoint.This information is used to craft an unauthenticated admin session using CVE-2021-45841 where an attacker can self-sign session cookies by knowing the target MAC address and the user password hash.
Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest which is used to download the
/etc/group
info to obtain the list of admin users, used to establish an unauthenticated admin session thru session crafting.Finally, CVE-2021-45837 is exploited to execute arbitrary commands as root by sending a specifically crafted input to vulnerable endpoint
/tos/index.php?app/del
.This module has been tested against a TerraMaster
F2-221
Model with the specifications listed below:x86
4.2.08
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/linux/http/terramaster_unauth_rce_cve_2021_45837
set rhosts <ip-target>
set rport <port>
set target <0=Unix Command, 1=Linux Dropper>
exploit
reverse shell
orMeterpreter
session depending on thepayload
andtarget
settingsTarget 0 - Unix Command
cmd/unix/reverse_bash
sessionTarget 1 - Linux Dropper
linux/x64/meterpreter/reverse_tcp
session