CVE-2022-24990
CVE-2022-24990
In short
TerraMaster NAS devices running version 4.2.29 or earlier leak the administrator password in plain text when a specially crafted web request is made. An attacker can easily retrieve the admin password remotely without needing any credentials.
Technical detail
The vulnerability exists in module/api.php endpoint (mobile/webNasIPS function) which fails to implement access controls (CWE-306) and returns the PWD field containing plaintext administrative credentials when requests include the 'TNAS' User-Agent header. Remote unauthenticated attackers can enumerate admin credentials, leading to full NAS compromise.
Summary generated and translated by AI from the official description.
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 7
githubgithub.com/lishang520/CVE-2022-24990★ 38githubgithub.com/0xf4n9x/CVE-2022-24990★ 12githubgithub.com/VVeakee/CVE-2022-24990-POC★ 4githubgithub.com/jsongmax/terraMaster-CVE-2022-24990★ 4githubgithub.com/ZZ-SOCMAP/CVE-2022-24990★ 3githubgithub.com/Jaky5155/CVE-2022-24990-TerraMaster-TOS--PHP-★ 2cve_referencepacketstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.htmlhttps://forum.terra-master.com/en/viewforum.php?f=28https://github.com/0xf4n9x/CVE-2022-24990https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24990