CVE-2020-15568
published 2021-01-30CVE-2020-15568: TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
28.49%
97.9th percentile
TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| terra-master | tos | < 4.1.29 | 4.1.29 |
Detection & IOCsextracted from sources · hover to see the quote
url/include/exportUser.php?type=3&cla=application&func=_exec&opt=(cat%20/etc/passwd)%3E{{filename}}.txt
- →Look for GET requests to /include/exportUser.php with query parameters 'cla=application', 'func=_exec', and a non-empty 'opt' parameter — this is the exploit path for dynamic class method invocation leading to RCE as root.
- →Validate HTTP responses from /include/exportUser.php for content matching 'root:.*:0:0:' (passwd file output), indicating successful OS command injection.
- →Monitor for unauthenticated access to /include/exportUser.php from external IPs; the vulnerability requires no authentication (PR:N, UI:N per CVSS).
- →Attacker-created output files (e.g., random 4-char alpha .txt files) under /include/ on the TerraMaster device may indicate post-exploitation artifact staging.
- ·The exploit targets TerraMaster TOS versions strictly before 4.1.29; devices running 4.1.29 or later are not affected. ↗
- ·The Nuclei template uses a randomised 4-character lowercase alpha filename as the output artifact; detection rules based on a fixed filename will miss real-world exploitation.
- ·FOFA fingerprinting query used to identify exposed TerraMaster devices is '"terramaster" && header="tos"', which can help scope detection to relevant assets.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j542-2x58-5jg4: TerraMaster TOS before 4
ghsa_unreviewed·2022-05-24
CVE-2020-15568 [CRITICAL] CWE-78 GHSA-j542-2x58-5jg4: TerraMaster TOS before 4
TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.
VulnCheck
TerraMaster tos Improper Control of Dynamically-Managed Code Resources
vulncheck·2020·CVSS 9.8
CVE-2020-15568 [CRITICAL] TerraMaster tos Improper Control of Dynamically-Managed Code Resources
TerraMaster tos Improper Control of Dynamically-Managed Code Resources
TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.
Affected: TerraMaster tos
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr; https://heimdalsecurity.com/blog/vulnerable-video-dvr-devices-now-targeted-by-the-freakout-botnet/; https://dashboard
No detection rules found.
Nuclei
TerraMaster TOS <.1.29 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-15568 [CRITICAL] TerraMaster TOS <.1.29 - Remote Code Execution
TerraMaster TOS <.1.29 - Remote Code Execution
TerraMaster TOS before 4.1.29 has invalid parameter checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.
Template:
id: CVE-2020-15568
info:
name: TerraMaster TOS <.1.29 - Remote Code Execution
author: pikpikcu
severity: critical
description: TerraMaster TOS before 4.1.29 has invalid parameter checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.
impact: |
Successful exp
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC is working, but the service could also be used by attackers who want to be sure an exploit is working.
This blog will first introduce the Interactsh tool and how researchers or attackers can leverage it to perform vulnerability validation. We then describe some of the many exploits in the wild leveraging this tool, and we
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Threat Research Center
Threat Research
Cybercrime
## Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Yue Guan
Jin Chen
Leo Olson
Wayne Xin
Daiping Liu
Published: October 14, 2021
Cybercrime
Threat Research
Attack analysis
Exploit
Exploit in the wild
Interactsh
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh . This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC
2021-01-30
Published
Exploited in the wild