TROYANOSYVIRUS
Volver a CVEs

CVE-2022-24989

CRITICAL
9.8

Descripcion

TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.

Detalles CVE

Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado8/20/2023
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0

Productos afectados

terra-master:f2-210terra-master:f2-221terra-master:f2-223terra-master:f2-422terra-master:f2-423terra-master:f4-421terra-master:f4-422terra-master:f4-423terra-master:f5-221terra-master:f5-422terra-master:t12-423terra-master:t12-450terra-master:t6-423terra-master:t9-423terra-master:t9-450terra-master:terramaster_operating_systemterra-master:u12-322-9100terra-master:u12-423terra-master:u12-722-2224terra-master:u16-322-9100terra-master:u16-722-2224terra-master:u24-722-2224terra-master:u4-111terra-master:u4-211terra-master:u4-423terra-master:u8-111terra-master:u8-322-9100terra-master:u8-423terra-master:u8-522-9400terra-master:u8-722-2224

Debilidades (CWE)

CWE-74

Referencias

https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990(cve@mitre.org)
https://forum.terra-master.com/en/viewforum.php?f=28(cve@mitre.org)
https://github.com/0xf4n9x/CVE-2022-24990(cve@mitre.org)
https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation(cve@mitre.org)
https://packetstormsecurity.com/files/172904(cve@mitre.org)
https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990(af854a3a-2127-422b-91ae-364da2661108)
https://forum.terra-master.com/en/viewforum.php?f=28(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/0xf4n9x/CVE-2022-24990(af854a3a-2127-422b-91ae-364da2661108)
https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation(af854a3a-2127-422b-91ae-364da2661108)
https://packetstormsecurity.com/files/172904(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.