Bug in Netgear FM114P Wireless Router firmware

[Björn Stickler <stickler () rbg informatik tu-darmstadt de>]

hi,

i found out that the netgear FM114P wireless router has a
directory-traversal like bug in the web-configuration interface.
documents/files can be accessed without authentication by using escaped
directory traversal from the accessible /upnp/service directory.

this results f.ex. in the ability to grab configuration file without
authentication on the router (remotely possible when remote
configuration is enabled) by using the following url:

http://ip-or-hostname:port/upnp/service/%2e%2e%2fnetgear.cfg

this config file contains dialup-password, dynamic dns-configuration
password and the main router configuration options. the router-password
and wep-keys are NOT included in this configuration file.

as far as i can say from my tests, there is no possibility to submit
data to forms on the router web-interface. (if so, it would be possible
to reset password or access wep-keys).

the bug affects current router firmware v1.4 Beta Release 17 others have
not been tested by myself. the netgear support has been informed.

to avoid the possibility for others to grab your config-file, simply
disable the remote management of the router (if enabled anyway).
disabling the upnp option of the router software does not affect the
behaviour.


regards,  b.stickler


http://intex.ath.cx