Terramaster NAS’s eye-opening CVE


As published last Tuesday, via @da_667 on Mastodon:

TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending “User-Agent: TNAS” to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

This is hauntingly similar to how I got into a photocopier/print server in my high school library in the mid-2000s. I couldn’t believe the password was delivered to the endpoint for local comparison. It also delightfully dropped every non-alphanumeric character, and translated every letter into lowercase before evaluation, just to remove some more entropy.

(I disclosed the issues, because I’m a square)!

As an aside, expect to see more fundamental mistakes like this when artificial “intelligence” tools write more code. We’re told it should only be used as a guide, or be reviewed by a human first. We know it won’t be.

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.