cbcvebase.
CVE-2022-24989
published 2023-08-20

CVE-2022-24989: TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
31.88%
98.1th percentile
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.

Affected

1 ranges
VendorProductVersion rangeFixed in
terra-masterterramaster_operating_system< 4.2.314.2.31

Detection & IOCsextracted from sources · hover to see the quote

url/module/api.php?mobile/createRaid
urlapi.php?mobile/createRaid
urlapi.php?mobile/webNasIPS
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M1 (CVE-2022-24989)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype|27 3a 20 27|"; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035629; rev:3; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M2 (CVE-2022-24989)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype="; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035630; rev:3; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
raidtype|27 3a 20 27|
  • Exploit arrives as an HTTP POST to the URI path /module/api.php?mobile/createRaid; inspect POST body for the 'raidtype' and 'diskstring' parameters containing shell metacharacters (;, newline, &, backtick, |, $) immediately following the parameter value — these are injected into a popen() call without sanitization.
  • Shell metacharacters to look for immediately after the raidtype value in the POST body: 0x3b (;), 0x0a (newline), 0x26 (&), 0x60 (backtick), 0x7c (|), 0x24 ($) — as captured by the ET PCRE pattern /^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R
  • The attack chain first harvests credentials (admin password hash + MAC address) via CVE-2022-24990 at api.php?mobile/webNasIPS before exploiting CVE-2022-24989; monitor for reconnaissance requests to that endpoint preceding the createRaid POST.
  • The vulnerability is reachable from the WAN; perimeter-facing TerraMaster NAS devices running TOS ≤ 4.2.30 should be prioritised for detection coverage.
  • ·Exploitation of CVE-2022-24989 requires valid credentials; in the wild these are obtained by first exploiting CVE-2022-24990 (information disclosure). Detections that only watch for the createRaid POST may miss the prerequisite reconnaissance step against api.php?mobile/webNasIPS.
  • ·The ET Snort rules (sid:2035629 and sid:2035630) target the URI path /module/api.php?mobile/createRaid — ensure your HTTP inspection is normalising the URI correctly, as path variations (e.g. without the /module/ prefix) may bypass the fast_pattern match.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.