Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RVD#2573: The DBPOWER U818A WIFI quadcopter drone provides FTP access over #2573

Open
rvd-bot opened this issue Jun 28, 2020 · 2 comments
Open

RVD#2573: The DBPOWER U818A WIFI quadcopter drone provides FTP access over #2573

rvd-bot opened this issue Jun 28, 2020 · 2 comments
Labels
robot: DBPOWER U818A severity: medium 4.0 - 6.9 vendor: DBPOWER vulnerability

Comments

@rvd-bot
Copy link
Contributor

rvd-bot commented Jun 28, 2020
edited by vmayoral
Loading 

id: 2573
title: 'RVD#2573: The DBPOWER U818A WIFI quadcopter drone provides FTP access over '
type: vulnerability
description: The DBPOWER U818A WIFI quadcopter drone provides FTP access over its
  own local access point, and allows full file permissions to the anonymous user.
  The DBPower U818A WIFI quadcopter drone runs an FTP server that by default allows
  anonymous access without a password, and provides full filesystem read/write permissions
  to the anonymous user. A remote user within range of the open access point on the
  drone may utilize the anonymous user of the FTP server to read arbitrary files,
  such as images and video recorded by the device, or to replace system files such
  as /etc/shadow to gain further access to the device. Furthermore, the DBPOWER U818A
  WIFI quadcopter drone uses BusyBox 1.20.2, which was released in 2012, and may be
  vulnerable to other known BusyBox vulnerabilities.
cwe: CWE-276
cve: CVE-2017-3209
keywords: ''
system: 'DBPOWER U818A'
vendor: "DBPOWER"
severity:
  rvss-score: 0
  rvss-vector: ''
  severity-description: 'medium'
  cvss-score: 4.8
  cvss-vector: CVSS:3.0/AV:A/AC:L/Au:N/C:P/I:P/A:N
links:
- https://dl.acm.org/doi/10.1145/3139937.3139943
- https://vulners.com/cve/CVE-2017-3209
- https://github.com/aliasrobotics/RVD/issues/2573
- https://nvd.nist.gov/vuln/detail/CVE-2017-3209
flaw:
  phase: unknown
  specificity: N/A
  architectural-location: N/A
  application: N/A
  subsystem: N/A
  package: N/A
  languages: None
  date-detected: '2018-07-24'
  detected-by: ''
  detected-by-method: N/A
  date-reported: '2020-05-29'
  reported-by: ''
  reported-by-relationship: N/A
  issue: https://github.com/aliasrobotics/RVD/issues/2573
  reproducibility: ''
  trace: ''
  reproduction: ''
  reproduction-image: ''
exploitation:
  description: ''
  exploitation-image: ''
  exploitation-vector: ''
  exploitation-recipe: ''
mitigation:
  description: ''
  pull-request: ''
  date-mitigation: ''
@rvd-bot rvd-bot changed the title The DBPOWER U818A WIFI quadcopter drone provides FTP access over RVD#2573: The DBPOWER U818A WIFI quadcopter drone provides FTP access over Jun 28, 2020
@attritionorg
Copy link

CWE-276

@vmayoral
Copy link
Member

vmayoral commented Sep 6, 2020

Thanks @attritionorg, updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
robot: DBPOWER U818A severity: medium 4.0 - 6.9 vendor: DBPOWER vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vmayoral @attritionorg @rvd-bot