TerraMaster NAS TOS <= 3.0.30 Unauthenticated RCE as Root

Recently I bought a TerraMaster F2-420 NAS from Amazon in order to store my private code, backups and this kind of stuff. As soon as it arrived I started to play with its web interface and eventually I wanted to see how it was implemented, moreover I was curious to see if I could find any remotely exploitable vulnerability.

As you can see … I succeeded :)


Read More

DISCLOSURE - RCE Against Every Open Source BTS Software.

This is a repost of an analysis of mine that has been posted on Zimperium’s blog, basically I’ve found that the following products are vulnerable to remote command execution, plus other various logic errors n’ stuff:

  • YateBTS <= 5.0.0
  • OpenBTS <= 4.0.0
  • OpenBTS-UMTS <= 1.0.0
  • Osmo-TRX/Osmo-BTS <= 0.1.10
  • Other products that share the same transceiver code base.


Read More

OSX Mass Pwning Using BetterCap and the Sparkle Updater Vulnerability.


Yesterday Radek from VulnSec posted an interesting article named “There’s a lot of vulnerable OS X applications out there.“, he discovered that the Sparkle update system ( used by some very popular OSX apps such as VLC, Adium, iTerm and so forth ) uses HTTP instead of HTTPS to fetch updates informations for such applications, making all of them vulnerable to man in the middle attacks and, as he shown, remote command execution attacks.

I’m not going to explain the details of his attack, his post is quite self explainatory, but I’ll show you how easy it is to mass pwn OSX machines on your network using the new OSX Sparkle bettercap proxy module.

Read More