Misconfiguration in TV-IP110WN

Vendor of Product: TRENDnet

Affected Product and Version: TV-IP110WN 1.2.2

Description:

The TRENDnet TV-IP110WN Camera configures the embedded Boa web server to run with root privileges (User 0, Group 0 in /server/boa.conf). This violates the principle of least privilege. Any exploit in the web interface can immediately grant root access, leading to total device compromise.

Detail:

In the TRENDnet TV-IP110WN firmware, the content of /server/boa.conf is as follows.

Port 80
User 0   <==
Group 0   <==
ErrorLog /var/log/boa/error_log
AccessLog /var/log/boa/access_log
ServerName IPCamera
DocumentRoot /server/cgi-bin
UserDir public_html
DirectoryIndex index.html
DirectoryMaker /usr/lib/boa/boa_indexer
KeepAliveMax 1000
KeepAliveTimeout 10
MimeTypes /etc/mime.types
DefaultType text/plain
CGIPath /bin/:/usr/bin/:/sbin/:/usr/sbin/
Alias /doc /usr/doc
ScriptAlias /cgi-bin/ /server/cgi-bin/

Within, both User and Group properties are set to 0 (UID/GID), which means root permission. This violates the principle of least privilege.

The official documentation of boa (http://www.boa.org/documentation/boa-2.html) states the following requirements.

2.4 Security
Boa has been designed to use the existing file system security. In boa.conf, the directives user and group determine who Boa will run as, if launched by root. By default, the user/group is nobody/nogroup. This allows quite a bit of flexibility. For example, if you want to disallow access to otherwise accessible directories or files, simply make them inaccessible to nobody/nogroup. If the user that Boa runs as is "boa" and the groups that "boa" belongs to include "web-stuff" then files/directories accessible by users with group "web-stuff" will also be accessible to Boa.

Clearly, there is a misconfiguration vulnerability here. There is a significant security risk here. It is not set according to the officially recommended security configuration nobody/nogroup. This violates the principle of least privilege. Any exploit in the web interface can immediately grant root access, leading to total device compromise.