The DBPOWER U818A WIFI quadcopter drone provides FTP access over its own local access point, and allows full file permissions to the anonymous user.
The DBPOWER U8181A WIFI quadcopter drone is designed to record images and video from the air. The drone provides an undocumented FTP server, accessible on the local network via its local access point.
CWE-276: Incorrect Default Permissions - CVE-2017-3209
A remote user within range of the open access point on the drone may utilize the anonymous user of the FTP server to read arbitrary files, such as images and video recorded by the device, or to replace system files and gain further access to the device.
The CERT/CC is currently unaware of a practical solution to this problem.
Thanks to Junia Valente (Cyber-Physical Systems Security Lab at UT Dallas) for reporting this vulnerability.
This document was written by Garret Wassermann.
|Date First Published:||2017-04-11|
|Date Last Updated:||2017-04-24 04:14 UTC|