SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   NETGEAR Router Vendors:   NETGEAR
NETGEAR FM114P Wireless Router Input Validation Bug May Disclose Configuration Files to Remote Users
SecurityTracker Alert ID:  1006065
SecurityTracker URL:  http://securitytracker.com/id/1006065
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 10 2003
Impact:   Disclosure of authentication information, Disclosure of system information
Exploit Included:  Yes  
Version(s): FM114P; Firmware 1.4 Beta Release 17
Description:   An input validation vulnerability was reported in the NETGEAR FM114P Cable/DSL Prosafe 802.11b Wireless Firewall. A remote user can view configuration files.

It is reported that a remote user can supply a specially crafted URL containing directory traversal characters to the device's web interface to view configuration files. Authentication is not required.

A demonstration exploit URL is provided:

http://ip-or-hostname:port/upnp/service/%2e%2e%2fnetgear.cfg

The 'netgear.cfg' file reportedly contains the dialup-password, dynamic dns-configuration password, and router configuration options. The report indicates that the router-password and wep-keys are not included in the file.

The vendor has reportedly been notified.

Impact:   A remote user can obtain certain configuration files.
Solution:   No solution was available at the time of this entry.

The author of the report indicates that you can disable the remote management feature as a workaround.

Vendor URL:  www.netgear.com/products/prod_details.asp?prodID=138 (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  Bug in Netgear FM114P Wireless Router firmware


hi,

i found out that the netgear FM114P wireless router has a
directory-traversal like bug in the web-configuration interface.
documents/files can be accessed without authentication by using escaped
directory traversal from the accessible /upnp/service directory.

this results f.ex. in the ability to grab configuration file without
authentication on the router (remotely possible when remote
configuration is enabled) by using the following url:

http://ip-or-hostname:port/upnp/service/%2e%2e%2fnetgear.cfg

this config file contains dialup-password, dynamic dns-configuration
password and the main router configuration options. the router-password
and wep-keys are NOT included in this configuration file.

as far as i can say from my tests, there is no possibility to submit
data to forms on the router web-interface. (if so, it would be possible
to reset password or access wep-keys).

the bug affects current router firmware v1.4 Beta Release 17 others have
not been tested by myself. the netgear support has been informed.

to avoid the possibility for others to grab your config-file, simply
disable the remote management of the router (if enabled anyway).
disabling the upnp option of the router software does not affect the
behaviour.


regards,  b.stickler


http://intex.ath.cx


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC