CVE-2022-24989
published 2023-08-20CVE-2022-24989: TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
31.88%
98.1th percentile
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| terra-master | terramaster_operating_system | < 4.2.31 | 4.2.31 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M1 (CVE-2022-24989)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype|27 3a 20 27|"; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035629; rev:3; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M2 (CVE-2022-24989)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype="; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035630; rev:3; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
raidtype|27 3a 20 27|
- →Exploit arrives as an HTTP POST to the URI path /module/api.php?mobile/createRaid; inspect POST body for the 'raidtype' and 'diskstring' parameters containing shell metacharacters (;, newline, &, backtick, |, $) immediately following the parameter value — these are injected into a popen() call without sanitization. ↗
- →Shell metacharacters to look for immediately after the raidtype value in the POST body: 0x3b (;), 0x0a (newline), 0x26 (&), 0x60 (backtick), 0x7c (|), 0x24 ($) — as captured by the ET PCRE pattern /^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R
- →The attack chain first harvests credentials (admin password hash + MAC address) via CVE-2022-24990 at api.php?mobile/webNasIPS before exploiting CVE-2022-24989; monitor for reconnaissance requests to that endpoint preceding the createRaid POST. ↗
- →The vulnerability is reachable from the WAN; perimeter-facing TerraMaster NAS devices running TOS ≤ 4.2.30 should be prioritised for detection coverage. ↗
- ·Exploitation of CVE-2022-24989 requires valid credentials; in the wild these are obtained by first exploiting CVE-2022-24990 (information disclosure). Detections that only watch for the createRaid POST may miss the prerequisite reconnaissance step against api.php?mobile/webNasIPS. ↗
- ·The ET Snort rules (sid:2035629 and sid:2035630) target the URI path /module/api.php?mobile/createRaid — ensure your HTTP inspection is normalising the URI correctly, as path variations (e.g. without the /module/ prefix) may bypass the fast_pattern match.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-37wm-xp2m-g3h7: TerraMaster NAS through 4
ghsa_unreviewed·2023-08-20·CVSS 7.5
CVE-2022-24989 [HIGH] CWE-74 GHSA-37wm-xp2m-g3h7: TerraMaster NAS through 4
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
VulnCheck
TerraMaster TerraMaster OS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-24989 [CRITICAL] TerraMaster TerraMaster OS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
TerraMaster TerraMaster OS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
Affected: TerraMaster TerraMaster OS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.360.cn/n/12457.html
Suricata
ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M1 (CVE-2022-24989)
suricata·2022-03-29·CVSS 9.8
CVE-2022-24989 [CRITICAL] ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M1 (CVE-2022-24989)
ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M1 (CVE-2022-24989)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M1 (CVE-2022-24989)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype|27 3a 20 27|"; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035629; rev:3; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Acce
Suricata
ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M2 (CVE-2022-24989)
suricata·2022-03-29·CVSS 9.8
CVE-2022-24989 [CRITICAL] ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M2 (CVE-2022-24989)
ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M2 (CVE-2022-24989)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M2 (CVE-2022-24989)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype="; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035630; rev:3; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_te
No writeups or analysis indexed.
https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990https://forum.terra-master.com/en/viewforum.php?f=28https://github.com/0xf4n9x/CVE-2022-24990https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiationhttps://packetstormsecurity.com/files/172904https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990https://forum.terra-master.com/en/viewforum.php?f=28https://github.com/0xf4n9x/CVE-2022-24990https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiationhttps://packetstormsecurity.com/files/172904
2023-08-20
Published
Exploited in the wild