Vulnerability Note VU#334207
DBPOWER U818A WIFI quadcopter drone allows full filesystem permissions to anonymous FTP
The DBPOWER U818A WIFI quadcopter drone provides FTP access over its own local access point, and allows full file permissions to the anonymous user.
The DBPOWER U8181A WIFI quadcopter drone is designed to record images and video from the air. The drone provides an undocumented FTP server, accessible on the local network via its local access point.
CWE-276: Incorrect Default Permissions - CVE-2017-3209
A remote user within range of the open access point on the drone may utilize the anonymous user of the FTP server to read arbitrary files, such as images and video recorded by the device, or to replace system files and gain further access to the device.
The CERT/CC is currently unaware of a practical solution to this problem.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|DBPOWER||Affected||24 Feb 2017||07 Apr 2017|
CVSS Metrics (Learn More)
Thanks to Junia Valente (Cyber-Physical Systems Security Lab at UT Dallas) for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2017-3209
- Date Public: 11 Apr 2017
- Date First Published: 11 Apr 2017
- Date Last Updated: 24 Apr 2017
- Document Revision: 30
If you have feedback, comments, or additional information about this vulnerability, please send us email.