TerraMaster TOS 4.2.06 Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS versions 4.2.06 and below via shell metacharacters in the Event parameter at vulnerable endpoint include/makecvs.php during CSV creation. Any unauthenticated user can therefore execute commands on the system under the same privileges as the web application, which typically runs under root at the TerraMaster Operating System.

application code code execution csv endpoint event exploits metasploit parameter php privileges remote code remote code execution root shell system terramaster the web under vulnerability vulnerable web web application