Fwd: BT Wifi Extenders - Cross Site Scripting leading to disclosure of PSK

[Jamie R <jamie.riden () gmail com>]

BT Wifi Extenders - 300, 600 and 1200 models - Cross Site Scripting
leading to disclosure of PSK.

A firmware update is required to resolve this issue.

The essential problem is that if you hit the following URL on your
wifi extender, it will pop up a whole load of private data, including
your PSK.  Instead of doing a pop up, we could exfiltrate that data to
our server.

/cgi-bin/webproc?%3Asessionid=deadbeef&obj-action=auth&%3Aaction=login&errorpage=html%2Fmain.html&getpage=html/index.html&var:menu=advanced&var:page=conntorouter&var%3Amenu=setup19497%22%3bsetTimeout(function(){alert(%22If%20you%20see%20stuff%20here,%20patch%21%20%22%2bG_arrClient)%3b},1000)%3bvar+foo%3d%22&var%3Asubpage=-

We can automate this within a web page to steal your stuff and I've
banged together a quick proof of concept here - http://xjs.io/bt.html
- which will try to find all the BT wifi extenders on your home
network, but needs to be run in Chrome. This uses Chrome to get the
list of local network interfaces and then chucks the XSS around the
whole local network if it finds any. (If it doesn't work, I apologise
- you'll have to try it by hand instead.)

If you have one of these, you should upgrade - the details are here:

300 model:

http://bt.custhelp.com/app/answers/detail/a_id/54345

600 model:

http://bt.custhelp.com/app/answers/detail/a_id/51867

1200 model:

http://bt.custhelp.com/app/answers/detail/a_id/56465


More details here:
https://www.pentestpartners.com/blog/bt-wi-fi-extender-multiple-security-issues-upgrade-asap/


BT were quite responsive, however seem have just categorised the issue
as "bug fixes", and I don't think there's an auto-update feature,
hence this post.

cheers,
 Jamie