lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAHno4i8nj_inF8gNu4=sKz3aK4k=57V6ZZ9z+YVY8vFMn329tQ@mail.gmail.com>
Date: Thu, 22 Sep 2016 09:32:54 +0100
From: Jamie R <jamie.riden@...il.com>
To: bugtraq@...urityfocus.com
Subject: Fwd: BT Wifi Extenders - Cross Site Scripting leading to disclosure
 of PSK

BT Wifi Extenders - 300, 600 and 1200 models - Cross Site Scripting
leading to disclosure of PSK.

A firmware update is required to resolve this issue.

The essential problem is that if you hit the following URL on your
wifi extender, it will pop up a whole load of private data, including
your PSK.  Instead of doing a pop up, we could exfiltrate that data to
our server.

/cgi-bin/webproc?%3Asessionid=deadbeef&obj-action=auth&%3Aaction=login&errorpage=html%2Fmain.html&getpage=html/index.html&var:menu=advanced&var:page=conntorouter&var%3Amenu=setup19497%22%3bsetTimeout(function(){alert(%22If%20you%20see%20stuff%20here,%20patch%21%20%22%2bG_arrClient)%3b},1000)%3bvar+foo%3d%22&var%3Asubpage=-

We can automate this within a web page to steal your stuff and I've
banged together a quick proof of concept here - http://xjs.io/bt.html
- which will try to find all the BT wifi extenders on your home
network, but needs to be run in Chrome. This uses Chrome to get the
list of local network interfaces and then chucks the XSS around the
whole local network if it finds any. (If it doesn't work, I apologise
- you'll have to try it by hand instead.)

If you have one of these, you should upgrade - the details are here:

300 model:

http://bt.custhelp.com/app/answers/detail/a_id/54345

600 model:

http://bt.custhelp.com/app/answers/detail/a_id/51867

1200 model:

http://bt.custhelp.com/app/answers/detail/a_id/56465


More details here:
https://www.pentestpartners.com/blog/bt-wi-fi-extender-multiple-security-issues-upgrade-asap/


BT were quite responsive, however seem have just categorised the issue
as "bug fixes", and I don't think there's an auto-update feature,
hence this post.

cheers,
 Jamie

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ