module
TerraMaster TOS 4.2.15 or lower - RCE chain from unauthenticated to root via session crafting.
| Disclosed | Created |
|---|---|
| 2021-12-24 | 2023-06-09 |
Disclosed
2021-12-24
Created
2023-06-09
Description
Terramaster chained exploit that performs session crafting to achieve escalated privileges that allows
an attacker to access vulnerable code execution flaws. TOS versions 4.2.15 and below are affected.
CVE-2021-45839 is exploited to obtain the first administrator's hash set up on the system as well as other
information such as MAC address, by performing a request to the `/module/api.php?mobile/webNasIPS` endpoint.
This information is used to craft an unauthenticated admin session using CVE-2021-45841 where an attacker
can self-sign session cookies by knowing the target MAC address and the user password hash.
Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker
to login as guest.
Finally, CVE-2021-45837 is exploited to execute arbitrary commands as root by sending a specifically crafted
input to vulnerable endpoint `/tos/index.php?app/del`.
an attacker to access vulnerable code execution flaws. TOS versions 4.2.15 and below are affected.
CVE-2021-45839 is exploited to obtain the first administrator's hash set up on the system as well as other
information such as MAC address, by performing a request to the `/module/api.php?mobile/webNasIPS` endpoint.
This information is used to craft an unauthenticated admin session using CVE-2021-45841 where an attacker
can self-sign session cookies by knowing the target MAC address and the user password hash.
Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker
to login as guest.
Finally, CVE-2021-45837 is exploited to execute arbitrary commands as root by sending a specifically crafted
input to vulnerable endpoint `/tos/index.php?app/del`.
Authors
h00die-gr3y h00die.gr3y@gmail.com
n0tme
n0tme
Platform
Linux,Unix
Architectures
cmd, x64, x86, aarch64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.