TerraMaster NAS TOS <= 3.0.30 Unauthenticated RCE as Root

Recently I bought a TerraMaster F2-420 NAS from Amazon in order to store my private code, backups and this kind of stuff. As soon as it arrived I started to play with its web interface and eventually I wanted to see how it was implemented, moreover I was curious to see if I could find any remotely exploitable vulnerability.

As you can see … I succeeded :)


Read More

DISCLOSURE - RCE Against Every Open Source BTS Software.

This is a repost of an analysis of mine that has been posted on Zimperium’s blog, basically I’ve found that the following products are vulnerable to remote command execution, plus other various logic errors n’ stuff:

  • YateBTS <= 5.0.0
  • OpenBTS <= 4.0.0
  • OpenBTS-UMTS <= 1.0.0
  • Osmo-TRX/Osmo-BTS <= 0.1.10
  • Other products that share the same transceiver code base.


Read More

Fuzzing With AFL-Fuzz, a Practical Example ( AFL vs Binutils )

It’s been a few weeks I’ve been playing with afl-fuzz ( american fuzzy lop ), a great tool from lcamtuf which uses binary instrumentation to create edge-cases for a given software, the description on the website is:

American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time
instrumentation and genetic algorithms to automatically discover clean, interesting test cases
that trigger new internal states in the targeted binary.
This substantially improves the functional coverage for the fuzzed code. The compact synthesized
corpora produced by the tool are also useful for seeding other, more labor- or resource-intensive
testing regimes down the road.

Ok nice … but what does this actually mean?

Read More