`BT Wifi Extenders - 300, 600 and 1200 models - Cross Site Scripting
leading to disclosure of PSK.
A firmware update is required to resolve this issue.
The essential problem is that if you hit the following URL on your
wifi extender, it will pop up a whole load of private data, including
your PSK. Instead of doing a pop up, we could exfiltrate that data to
our server.
/cgi-bin/webproc?%3Asessionid=deadbeef&obj-action=auth&%3Aaction=login&errorpage=html%2Fmain.html&getpage=html/index.html&var:menu=advanced&var:page=conntorouter&var%3Amenu=setup19497%22%3bsetTimeout(function(){alert(%22If%20you%20see%20stuff%20here,%20patch%21%20%22%2bG_arrClient)%3b},1000)%3bvar+foo%3d%22&var%3Asubpage=-
We can automate this within a web page to steal your stuff and I've
banged together a quick proof of concept here - http://xjs.io/bt.html
- which will try to find all the BT wifi extenders on your home
network, but needs to be run in Chrome. This uses Chrome to get the
list of local network interfaces and then chucks the XSS around the
whole local network if it finds any. (If it doesn't work, I apologise
- you'll have to try it by hand instead.)
If you have one of these, you should upgrade - the details are here:
300 model:
http://bt.custhelp.com/app/answers/detail/a_id/54345
600 model:
http://bt.custhelp.com/app/answers/detail/a_id/51867
1200 model:
http://bt.custhelp.com/app/answers/detail/a_id/56465
More details here:
https://www.pentestpartners.com/blog/bt-wi-fi-extender-multiple-security-issues-upgrade-asap/
BT were quite responsive, however seem have just categorised the issue
as "bug fixes", and I don't think there's an auto-update feature,
hence this post.
cheers,
Jamie
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation