CVE-2020-35665
published 2020-12-23CVE-2020-35665: An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
78.14%
99.5th percentile
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| terra-master | terramaster_operating_system | <= 4.2.06 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible TerraMaster TOS RCE Inbound (CVE-2020-28188 CVE-2020-35665)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/makecvs.php?Event="; fast_pattern; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; http.uri.raw; content:"%20"; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2020-28188; reference:cve,2020-35665; classtype:attempted-admin; sid:2031535; rev:3; metadata:attack_target Server, created_at 2021_01_21, cve CVE_2020_28188, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_18;)
- →Detect unauthenticated GET requests to /include/makecvs.php with an Event parameter containing shell metacharacters (backtick, semicolon, pipe, ampersand, URL-encoded equivalents %60, %3b, %7c, %26) and a URL-encoded space (%20). ↗
- →Monitor for unexpected .php file creation under /usr/www/ on TerraMaster devices, which is the web shell drop location used by the exploit. ↗
- →Monitor for POST requests to randomly named .php files under the web root immediately following a GET to /include/makecvs.php — this is the two-stage web shell upload and execution pattern used by the exploit. ↗
- →Check the /version endpoint response for TerraMaster TOS version 4.2.06 or lower; the exploit checks version <= '4206' to confirm vulnerability before proceeding. ↗
- →The exploit defaults to port 8181 for TerraMaster TOS; monitor HTTP traffic on this non-standard port for exploitation attempts targeting /include/makecvs.php. ↗
- →The exploit uses the default Metasploit payload cmd/unix/reverse_perl with base64-encoded commands passed via brace expansion to bash; look for brace-expansion patterns like {echo,<base64>}|{base64,-d}|{bash,-i} in HTTP request bodies or process arguments. ↗
- ·The ET/Snort rule (sid:2031535) covers both CVE-2020-28188 and CVE-2020-35665 with the same signature; tuning may be needed to distinguish between the two vulnerabilities in alerting. ↗
- ·The web application on TerraMaster TOS typically runs as root, meaning successful exploitation grants full system compromise — prioritize detection and patching accordingly. ↗
- ·No authentication is required to exploit this vulnerability; perimeter controls blocking unauthenticated access to port 8181 are a critical compensating control. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wf5j-wf7x-99jg: An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4
ghsa_unreviewed·2022-05-24
CVE-2020-35665 [CRITICAL] CWE-434 GHSA-wf5j-wf7x-99jg: An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
VulnCheck
TerraMaster TerraMaster OS Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-35665 [CRITICAL] TerraMaster TerraMaster OS Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
TerraMaster TerraMaster OS Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
Affected: TerraMaster TerraMaster OS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.imperva.com/blog/python-cryptominer-botnet-quickly-adopts-latest-vulnerabilities/; https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/; https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-w
Suricata
ET EXPLOIT Possible TerraMaster TOS RCE Inbound (CVE-2020-28188 CVE-2020-35665)
suricata·2021-01-21·CVSS 9.8
CVE-2020-28188 [CRITICAL] ET EXPLOIT Possible TerraMaster TOS RCE Inbound (CVE-2020-28188 CVE-2020-35665)
ET EXPLOIT Possible TerraMaster TOS RCE Inbound (CVE-2020-28188 CVE-2020-35665)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible TerraMaster TOS RCE Inbound (CVE-2020-28188 CVE-2020-35665)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/makecvs.php?Event="; fast_pattern; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; http.uri.raw; content:"%20"; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2020-28188; reference:cve,2020-35665; classtype:attempted-admin; sid:2031535; rev:3; metadata:attack_target Server, created_at 2021_01_21, cve CVE_2020_28188, deployment Perimeter, deployment Internal, performance_impact
Exploit-DB
TerraMaster TOS 4.2.06 - Unauthenticated Remote Code Execution (Metasploit)
exploitdb·2020-12-23
CVE-2020-35665 TerraMaster TOS 4.2.06 - Unauthenticated Remote Code Execution (Metasploit)
TerraMaster TOS 4.2.06 - Unauthenticated Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "TerraMaster TOS 4.2.06 - Unauthenticated Remote Code Execution",
'Description' => %q(
This module exploits a unauthenticated command execution vulnerability in TerraMaster TOS.
The "Event" parameter in "include/makecvs.php" contains a vulnerability.
"filename" is executing command on system during ".csv" creation.
In order to do this, it is not necessary to have a session in the application.
Therefore an unathenticated user can execute the command on the system.
),
'License' => MSF_LICENSE,
'Author' =>
[
'AkkuS ', #PoC & Metasploit module
'IHTeam' #
Metasploit
TerraMaster TOS 4.2.06 or lower - Unauthenticated Remote Code Execution
metasploit
TerraMaster TOS 4.2.06 or lower - Unauthenticated Remote Code Execution
TerraMaster TOS 4.2.06 or lower - Unauthenticated Remote Code Execution
This module exploits an unauthenticated remote code-execution vulnerability in TerraMaster TOS 4.2.06 and lower via shell metacharacters in the Event parameter at vulnerable endpoint `include/makecvs.php` during CSV creation. Any unauthenticated user can therefore execute commands on the system under the same privileges as the web application, which typically runs under root at the TerraMaster Operating System.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/172880/TerraMaster-TOS-4.2.06-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/49330https://www.pentest.com.tr/exploits/TerraMaster-TOS-4-2-06-Unauthenticated-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/172880/TerraMaster-TOS-4.2.06-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/49330https://www.pentest.com.tr/exploits/TerraMaster-TOS-4-2-06-Unauthenticated-Remote-Code-Execution.html
2020-12-23
Published
Exploited in the wild