Vendor of Product: TRENDNET
Affected Product and Version: TEW-822DRE FW103B02
Description:
In TEW-822DRE FW103B02
Range Extender, there is a misconfiguration vulnerability about vsftpd
. The vulnerability causes all files uploaded anonymously via FTP to be automatically assigned root ownership, potentially allowing remote attackers to obtain full root access and take complete control of the devices.
Detail:
In the TEW-822DRE FW103B02
firmware, the content of the /etc/vsftpd.conf
is as follows.
write_enable=YES
local_umask=0
anon_upload_enable=YES
anon_mkdir_write_enable=YES
chown_uploads=YES
ascii_upload_enable=YES
ftpd_banner=Welcome to blah FTP service.
listen=YES
ftp_username=nobody
Within, it enables the chown_uploads
property but does not explicitly set the required chown_username
property which defaults to root
.
The official documentation of vsftpd [1] [2] states the following requirements.
chown_uploads
If enabled, all anonymously uploaded files will have the ownership changed to the user specified in the setting chown_username. This is useful from an administrative, and perhaps security, standpoint.
Note! Using "root" for uploaded files is not recommended!
Default: NO
chown_username
This is the name of the user who is given ownership of anonymously uploaded files. This option is only relevant if another option, chown_uploads, is set.
Default: root
Clearly, there is a misconfiguration vulnerability here. This violates the principle of least privilege. The vulnerability causes all files uploaded anonymously via FTP to be automatically assigned root ownership, potentially allowing remote attackers to obtain full root access and take complete control of the devices.
Reference:
[1] http://vsftpd.beasts.org/vsftpd_conf.html
[2] https://github.com/simfishing/vsftpd-3.0.5/blob/master/vsftpd.conf