RVD
RVD copied to clipboard
Published
20 hours ago •
aliasrobotics
aliasrobotics
RVD#2573: The DBPOWER U818A WIFI quadcopter drone provides FTP access over
id: 2573
title: 'RVD#2573: The DBPOWER U818A WIFI quadcopter drone provides FTP access over '
type: vulnerability
description: The DBPOWER U818A WIFI quadcopter drone provides FTP access over its
own local access point, and allows full file permissions to the anonymous user.
The DBPower U818A WIFI quadcopter drone runs an FTP server that by default allows
anonymous access without a password, and provides full filesystem read/write permissions
to the anonymous user. A remote user within range of the open access point on the
drone may utilize the anonymous user of the FTP server to read arbitrary files,
such as images and video recorded by the device, or to replace system files such
as /etc/shadow to gain further access to the device. Furthermore, the DBPOWER U818A
WIFI quadcopter drone uses BusyBox 1.20.2, which was released in 2012, and may be
vulnerable to other known BusyBox vulnerabilities.
cwe: CWE-276
cve: CVE-2017-3209
keywords: ''
system: 'DBPOWER U818A'
vendor: "DBPOWER"
severity:
rvss-score: 0
rvss-vector: ''
severity-description: 'medium'
cvss-score: 4.8
cvss-vector: CVSS:3.0/AV:A/AC:L/Au:N/C:P/I:P/A:N
links:
- https://dl.acm.org/doi/10.1145/3139937.3139943
- https://vulners.com/cve/CVE-2017-3209
- https://github.com/aliasrobotics/RVD/issues/2573
- https://nvd.nist.gov/vuln/detail/CVE-2017-3209
flaw:
phase: unknown
specificity: N/A
architectural-location: N/A
application: N/A
subsystem: N/A
package: N/A
languages: None
date-detected: '2018-07-24'
detected-by: ''
detected-by-method: N/A
date-reported: '2020-05-29'
reported-by: ''
reported-by-relationship: N/A
issue: https://github.com/aliasrobotics/RVD/issues/2573
reproducibility: ''
trace: ''
reproduction: ''
reproduction-image: ''
exploitation:
description: ''
exploitation-image: ''
exploitation-vector: ''
exploitation-recipe: ''
mitigation:
description: ''
pull-request: ''
date-mitigation: ''
