Vendor of Product: TOTOLink

Affected Product and Version: N600R V4.3.0 & X2000R V1.0.0

Description:

In TOTOLink N600R V4.3.0 and X2000R V1.0.0 devices, there is a misconfiguration vulnerability. The configuration file vsftpd.conf enables the chown_uploads property but does not explicitly set the required chown_username property which defaults to root. This results in a critical security flaw where all files uploaded anonymously via FTP are automatically owned by the root user. It allows remote attackers with anonymous FTP access to gain root-level control over the devices.

Detail:

In the TOTOLink N600R and X2000R firmware, the partial content of the /etc/vsftpd.conf is as follows.

write_enable=YES
local_umask=0
anon_upload_enable=YES
#chown_username=whoever
anon_mkdir_write_enable=YES
chown_uploads=YES
ascii_upload_enable=YES
ftpd_banner=Welcome to blah FTP service.
listen=YES
ftp_username=nobody

The official documentation of vsftpd [1] [2] states the following requirements.

chown_uploads
If enabled, all anonymously uploaded files will have the ownership changed to the user specified in the setting chown_username. This is useful from an administrative, and perhaps security, standpoint.
Note! Using "root" for uploaded files is not recommended!
Default: NO

chown_username
This is the name of the user who is given ownership of anonymously uploaded files. This option is only relevant if another option, chown_uploads, is set.
Default: root

Clearly, there is a misconfiguration vulnerability here. This results in a critical security flaw where all files uploaded anonymously via FTP are automatically owned by the root user. It allows remote attackers with anonymous FTP access to gain root-level control over the devices.

Reference:

[1] http://vsftpd.beasts.org/vsftpd_conf.html

[2] https://github.com/SUSE/salt-formulas/blob/master/vsftpd-formula/vsftpd/files/vsftpd.conf