CVE-2020-35665
📋 TL;DR
CVE-2020-35665 is an unauthenticated remote code execution vulnerability in TerraMaster TOS. Attackers can execute arbitrary commands on affected systems by injecting shell metacharacters in the Event parameter during CSV creation. All TerraMaster TOS users running vulnerable versions are affected.
💻 Affected Systems
- TerraMaster TOS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal data, pivot to other systems, or deploy ransomware.
Likely Case
Attackers gain shell access to install backdoors, exfiltrate sensitive data, or use the system for cryptocurrency mining.
If Mitigated
No impact if system is patched or properly firewalled from external access.
🎯 Exploit Status
Multiple public exploit scripts available. Attack requires no authentication and minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TOS 4.2.07 or later
Vendor Advisory: https://www.terra-master.com/global/
Restart Required: Yes
Instructions:
1. Backup critical data. 2. Log into TOS web interface. 3. Navigate to Control Panel > General Settings > Update & Restore. 4. Check for updates and install TOS 4.2.07 or later. 5. Reboot the NAS after update completes.
🔧 Temporary Workarounds
Block access to vulnerable endpoint
allRestrict access to include/makecvs.php via web server configuration or firewall rules
# For Apache: add to .htaccess
<Files "makecvs.php">
Order Deny,Allow
Deny from all
</Files>
# For nginx: add to server block
location ~ /include/makecvs\.php$ {
deny all;
}
Network segmentation
linuxPlace TerraMaster NAS behind firewall with strict inbound rules
# Example iptables rule to block external access
iptables -A INPUT -p tcp --dport 80 -s ! 192.168.1.0/24 -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! 192.168.1.0/24 -j DROP
🧯 If You Can't Patch
- Immediately disconnect vulnerable systems from internet and place behind strict firewall
- Implement network monitoring for exploitation attempts and review logs for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check TOS version in web interface: Control Panel > General Settings > About. If version is 4.2.06 or earlier, system is vulnerable.Check Version:
curl -s http://[NAS_IP]/tos/ | grep -i versionVerify Fix Applied:
Verify TOS version is 4.2.07 or later. Test by attempting to access /include/makecvs.php - should be blocked or return error.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /include/makecvs.php with shell metacharacters in parameters
- Unusual process execution from web server user
- CSV generation errors with command injection attempts
Network Indicators:
- HTTP POST requests to makecvs.php containing pipe characters, semicolons, or backticks in parameters
- Outbound connections from NAS to suspicious IPs following exploit attempts
SIEM Query:
source="web_logs" AND uri="/include/makecvs.php" AND (param="Event" AND value MATCHES "[|;&`$()]+")🔗 References
- http://packetstormsecurity.com/files/172880/TerraMaster-TOS-4.2.06-Remote-Code-Execution.html
- https://www.exploit-db.com/exploits/49330
- https://www.pentest.com.tr/exploits/TerraMaster-TOS-4-2-06-Unauthenticated-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/172880/TerraMaster-TOS-4.2.06-Remote-Code-Execution.html
- https://www.exploit-db.com/exploits/49330
- https://www.pentest.com.tr/exploits/TerraMaster-TOS-4-2-06-Unauthenticated-Remote-Code-Execution.html
