Home / os / winmobile

BT Wifi Extenders 300 / 600 / 1200 Cross Site Scripting

Posted on 23 September 2016

BT Wifi Extenders - 300, 600 and 1200 models - Cross Site Scripting leading to disclosure of PSK. A firmware update is required to resolve this issue. The essential problem is that if you hit the following URL on your wifi extender, it will pop up a whole load of private data, including your PSK. Instead of doing a pop up, we could exfiltrate that data to our server. /cgi-bin/webproc?%3Asessionid=deadbeef&obj-action=auth&%3Aaction=login&errorpage=html%2Fmain.html&getpage=html/index.html&var:menu=advanced&var:page=conntorouter&var%3Amenu=setup19497%22%3bsetTimeout(function(){alert(%22If%20you%20see%20stuff%20here,%20patch%21%20%22%2bG_arrClient)%3b},1000)%3bvar+foo%3d%22&var%3Asubpage=- We can automate this within a web page to steal your stuff and I've banged together a quick proof of concept here - http://xjs.io/bt.html - which will try to find all the BT wifi extenders on your home network, but needs to be run in Chrome. This uses Chrome to get the list of local network interfaces and then chucks the XSS around the whole local network if it finds any. (If it doesn't work, I apologise - you'll have to try it by hand instead.) If you have one of these, you should upgrade - the details are here: 300 model: http://bt.custhelp.com/app/answers/detail/a_id/54345 600 model: http://bt.custhelp.com/app/answers/detail/a_id/51867 1200 model: http://bt.custhelp.com/app/answers/detail/a_id/56465 More details here: https://www.pentestpartners.com/blog/bt-wi-fi-extender-multiple-security-issues-upgrade-asap/ BT were quite responsive, however seem have just categorised the issue as "bug fixes", and I don't think there's an auto-update feature, hence this post. cheers, Jamie

 

TOP