Vendor of Product: H3C

Affected Product and Version:

M102G HM1A0V200R010 BA1500L SWBA1A0V100R006

Description:

In H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via FTP are automatically owned by the root user and remote attackers could gain root-level control over the devices.

Detail:

In the H3C M102G HM1A0V200R010 and BA1500L SWBA1A0V100R006 firmware, the content of the /etc/vsftpd.conf is as follows.

write_enable=YES
local_umask=0
anon_upload_enable=YES
anon_mkdir_write_enable=YES
chown_uploads=YES
ascii_upload_enable=YES
ftpd_banner=Welcome to blah FTP service.
listen=YES
ftp_username=nobody

Within, it enables the chown_uploads property but does not explicitly set the required chown_username property which defaults to root.

The official documentation of vsftpd [1] [2] states the following requirements.

chown_uploads
If enabled, all anonymously uploaded files will have the ownership changed to the user specified in the setting chown_username. This is useful from an administrative, and perhaps security, standpoint.
Note! Using "root" for uploaded files is not recommended!
Default: NO

chown_username
This is the name of the user who is given ownership of anonymously uploaded files. This option is only relevant if another option, chown_uploads, is set.
Default: root

Clearly, there is a misconfiguration vulnerability here. This results in a critical security flaw where all files uploaded anonymously via FTP are automatically owned by the root user. It allows remote attackers with anonymous FTP access to gain root-level control over the devices.

Reference:

[1] http://vsftpd.beasts.org/vsftpd_conf.html

[2] https://github.com/simfishing/vsftpd-3.0.5/blob/master/vsftpd.conf