CVE-2017-3209 Information

Description

The DBPOWER U818A WIFI quadcopter drone provides FTP access over its own local access point and allows full file permissions to the anonymous user. The DBPower U818A WIFI quadcopter drone runs an FTP server that by default allows anonymous access without a password and provides full filesystem read/write permissions to the anonymous user. A remote user within range of the open access point on the drone may utilize the anonymous user of the FTP server to read arbitrary files such as images and video recorded by the device or to replace system files such as /etc/shadow to gain further access to the device. Furthermore the DBPOWER U818A WIFI quadcopter drone uses BusyBox 1.20.2 which was released in 2012 and may be vulnerable to other known BusyBox vulnerabilities.

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Reference

https://dl.acm.org/citation.cfm?id=3139943 https://www.kb.cert.org/vuls/id/334207 https://www.securityfocus.com/bid/97564

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

8.1