🚨 Security Issue: Unauthenticated Remote Drone Control via `/track` Endpoint

[im-soohyun]

🚨 Security Issue: Unauthenticated Remote Drone Control via /track Endpoint

📝 Vulnerability Description

The current implementation of the drone control web application allows unauthenticated users to send commands to remotely move the drone by directly submitting HTTP POST requests to the /track endpoint. This lack of authentication and authorization checks allows potential attackers to control the drone remotely without permission.

🔍 Affected Code

File: drone_delivery.py

Vulnerable Endpoint: Line 171 (track endpoint)

@cherrypy.expose
def track(self, lat=None, lon=None):
    if(lat is not None and lon is not None):
        self.drone.goto([lat, lon], True)  # No authentication before sending commands to drone
    return self.templates.track(self.drone.get_location())

🛠️ Steps to Reproduce

An attacker can remotely control the drone position by executing a simple HTTP POST request without authentication:

curl -X POST http://localhost:8080/track -d "lat=37.4419&lon=-122.1430"

⚠️ Potential Risks

• Unauthorized individuals can remotely manipulate drone positions.
• Risk of physical damage, unauthorized surveillance, or other security incidents due to unauthorized drone control.

🔐 Recommended Mitigation

The authentication approach already used in the [command endpoint (lines 124-141)](https://github.com/dronekit/dronekit-python/blob/243ce0ac9c51504fc846e4ea1e35dbff03985871/examples/drone_delivery/drone_delivery.py#L124-L141) should be similarly implemented in the /track` endpoint:

@cherrypy.expose
def track(self, lat=None, lon=None):
    # Implement authentication check similar to /command endpoint here
    if not cherrypy.session.get('authenticated'):
        raise cherrypy.HTTPRedirect("/")
    
    if(lat is not None and lon is not None):
        self.drone.goto([lat, lon], True)

    return self.templates.track(self.drone.get_location())

Specifically, you should:

• Add session-based authentication checks before accepting drone movement commands.
• Ensure that only authorized users are able to interact with the drone through sensitive API endpoints.

📌 Additional References

• OWASP API Security Top 10
• OWASP Authentication Cheat Sheet

Thank you for your attention to this security matter.

[im-soohyun]

@hamishwillee

I apologize for reaching out while you’re busy, but may I kindly ask you to review this when you have a moment?

[hamishwillee]

Hi @shyun020

Sure, it's probably a risk at some level.
But this is an open source project without a maintainer, so we're not going to do anything about it.
If someone wants to contribute a PR to fix this then I'll seek a reviewer to get it looked at.

[im-soohyun]

@hamishwillee

If it turns out that this issue does pose a real security risk — and could have led to exploitation in a real-world scenario — would it be acceptable for me to request a CVE for it?

Additionally, would you be open to me opening a PR with a safe patch to address the issue responsibly?

Please let me know your thoughts.

Best regards,

[hamishwillee]

Hi @shyun020,
I don't know what a CVE is. I'm completely open to getting a PR (very happy to do so). Note though, that I can't guarantee when/if it would be reviewed and/or merged.

[im-soohyun]

@hamishwillee

Hello,

I’d like to inform you that I’ve discovered a security vulnerability in your project.
Before proceeding, I wanted to respectfully ask whether I may submit a CVE request for this issue myself — or if your team would prefer to handle the CVE assignment process directly.

As you may know, CVE (Common Vulnerabilities and Exposures) identifiers help the wider community track and respond to known vulnerabilities more effectively. I am currently a student studying cybersecurity, and I’m genuinely interested in contributing to the open-source security ecosystem in a responsible manner.

If you have any preferred disclosure process or policies, please do let me know. I’m happy to follow your guidelines and cooperate fully.

Thank you for your time and consideration.

https://cveform.mitre.org/

Best regards,

[im-soohyun]

@hamishwillee

I sincerely appreciate your time and would be grateful if you could respond at your earliest convenience.

[hamishwillee]

We have no guidelines. You are welcome to submit issues and/or PRs on what you find. They will be appreciated by the community I am sure. But as there are no maintainers, it is unlikely work will be done to fix any issues for which you don't provide PRs. The time to respond to any issue or review of your PRs is open ended.

My earliest convenience is at best, the following Wednesday from any post, and often several months.

[im-soohyun]

@hamishwillee

Hello,

I have identified a vulnerability in the drone control web application where unauthenticated users can send HTTP POST requests to the /track endpoint, allowing them to remotely control the drone. If applied to an actual drone, this could allow unauthorized users to move the drone to arbitrary locations, potentially leading to physical damage, illegal surveillance, and other severe security incidents.

This vulnerability arises from the lack of authentication and authorization checks, and there is a practical risk of exploitation.

Therefore, I would like to inquire whether this issue qualifies for a CVE (Common Vulnerabilities and Exposures) issuance. CVE is a system that assigns unique identifiers to publicly disclosed security vulnerabilities, making them internationally shareable and trackable.

If this issue meets the criteria for CVE issuance, could you also confirm whether I can submit the CVE request myself?

For your reference, CVE submission can be done via the following link:
🔗 https://cveform.mitre.org/

I would greatly appreciate it if you could review the possibility of CVE issuance and provide your response.

[im-soohyun]

@hamishwillee

Whenever you have the time, could you kindly review the CVE issue and provide a response?

Thank you always for your kind assistance.

[im-soohyun]

@hamishwillee

I would like to kindly ask if it is possible to proceed in a similar manner as the following case, where I reported a vulnerability via email, which was later patched and assigned a CVE:

jumpserver/jumpserver#15749

Thank you very much for your time and consideration.

[im-soohyun]

@hamishwillee

I truly appreciate your time and would be very grateful if you could provide a response regarding the CVE ID assignment.

[im-soohyun]

@hamishwillee
May I ask if a CVE assignment is planned?

[hamishwillee]

@im-soohyun No it's not.

This project has no maintainers.
I have no time to do anything with this, and if I did, it would be the lowest of possible priorities. That is true of any security issue.