Vendor of Product: TOTOLink
Affected Product and Version: TOTOLink CP450 V4.1.0cu.747
Description:
In TOTOLink CP450V4.1.0cu.747 , there is a misconfiguration vulnerability about vsftpd. The vulnerability causes all files uploaded anonymously via FTP to be automatically assigned root ownership, potentially allowing remote attackers to obtain full root access and take complete control of the devices.
Detail:
In the TOTOLink CP450 V4.1.0cu.747 firmware, the content of the /etc/vsftpd.conf is as follows.
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=0
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=YES
# a different user. Note! Using "root" for uploaded files is not
# recommended!
chown_uploads=YES
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=YES
# You may fully customise the login banner string:
ftpd_banner=Welcome to blah FTP service.
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#listen_port=21
ftp_username=nobody
Within, it enables the chown_uploads property but does not explicitly set the required chown_username property which defaults to root.
The official documentation of vsftpd [1] [2] states the following requirements.
chown_uploads
If enabled, all anonymously uploaded files will have the ownership changed to the user specified in the setting chown_username. This is useful from an administrative, and perhaps security, standpoint.
Note! Using "root" for uploaded files is not recommended!
Default: NO
chown_username
This is the name of the user who is given ownership of anonymously uploaded files. This option is only relevant if another option, chown_uploads, is set.
Default: root
Clearly, there is a misconfiguration vulnerability here. This violates the principle of least privilege. The vulnerability causes all files uploaded anonymously via FTP to be automatically assigned root ownership, potentially allowing remote attackers to obtain full root access and take complete control of the devices. Reference: [1] http://vsftpd.beasts.org/vsftpd_conf.html [2] https://github.com/simfishing/vsftpd-3.0.5/blob/master/vsftpd.conf