Vendor of Product: TRENDNET

Affected Product and Version: TEW-822DRE FW103B02

Description:

In TEW-822DRE FW103B02 Range Extender, there is a misconfiguration vulnerability about vsftpd. The vulnerability causes all files uploaded anonymously via FTP to be automatically assigned root ownership, potentially allowing remote attackers to obtain full root access and take complete control of the devices.

Detail:

In the TEW-822DRE FW103B02 firmware, the content of the /etc/vsftpd.conf is as follows.

write_enable=YES
local_umask=0
anon_upload_enable=YES
anon_mkdir_write_enable=YES
chown_uploads=YES
ascii_upload_enable=YES
ftpd_banner=Welcome to blah FTP service.
listen=YES
ftp_username=nobody

Within, it enables the chown_uploads property but does not explicitly set the required chown_username property which defaults to root.

The official documentation of vsftpd [1] [2] states the following requirements.

chown_uploads
If enabled, all anonymously uploaded files will have the ownership changed to the user specified in the setting chown_username. This is useful from an administrative, and perhaps security, standpoint.
Note! Using "root" for uploaded files is not recommended!
Default: NO

chown_username
This is the name of the user who is given ownership of anonymously uploaded files. This option is only relevant if another option, chown_uploads, is set.
Default: root

Clearly, there is a misconfiguration vulnerability here. This violates the principle of least privilege. The vulnerability causes all files uploaded anonymously via FTP to be automatically assigned root ownership, potentially allowing remote attackers to obtain full root access and take complete control of the devices.

Reference:

[1] http://vsftpd.beasts.org/vsftpd_conf.html

[2] https://github.com/simfishing/vsftpd-3.0.5/blob/master/vsftpd.conf