U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

BT Wi-Fi extender, extends to XSS and password changing vulnerabilities

Following an investigation by Pen Test Partners, British Telecom (BT) has released a firmware upgrade for their popular range of Wi-Fi extenders. The investigation uncovered vulnerabilities within the firmware when left the device exposed to possible XSS (Cross Site Scripting) Exploits as well as the ability to change the user’s password without notification. By combining […]

BT Wi-Fi extender, extends to XSS and password changing vulnerabilities

Following an investigation by Pen Test Partners, British Telecom (BT) has released a firmware upgrade for their popular range of Wi-Fi extenders.

The investigation uncovered vulnerabilities within the firmware when left the device exposed to possible XSS (Cross Site Scripting) Exploits as well as the ability to change the user’s password without notification.

By combining these flaws it was proved possible to grab the victim’s WPA passphrase following tricking them into visiting a maliciously crafted website from their home network.

BT was quick to offer an upgrade, available here, which resolves the issues. The telecommunications giant were also quick to credit Pen Test Partners, thanking them for the discovery:

“We are grateful to Pen Test Partners for alerting us to this issue. We have been working to address this potential weakness and issued an update which corrected the problem in August 2016. We are not aware of any cases where customers have suffered any issues. Customers should ensure they download the firmware update from the BT website.”
bt-wi-fi-extenders-2

 

The report detailed that a malformed JavaScript could be created and spammed over the local network (if the IP of the extender was unknown), which could be crafted to change the password without ever seeking verification of the previous password, as is standard in many applications.

The var:errorpage parameter within the configuration was also found to be vulnerable, this time to XSS. The device also didn’t validate input or its HTML encoding when it rewrites changes back out to the web page.

Altering cookie parameters also allowed unauthenticated users to glean username and passwords directly.

“The var:errorpage parameter seems to be vulnerable to reflected cross-site scripting because it is not correctly validated on input, nor HTML-encoded when it is written out to the web page again.

Example:

bt-wi-fi-extenders-3

Also, if we try it with document[.]cookie instead of ‘1’, we get to see the username and password.states the report from Pen Test Partners.

Pen Test Partners combined these vulnerabilities, grabbed the cookies and ended up with the victim’s NAT IP, admin password, SSID as well as their Pre-Shared Key.

The popularity of BT Wi-Fi extenders, as well as, the extent of the vulnerabilities and relative ease of performing this exploit means that all home users without version 1.1.8, if they haven’t done so, should stop what they’re doing, especially if it’s online, and upgrade immediately.

Written by: Steven Boyd

Steven BoydSteven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.

Twitter: @CybrViews

 

 

 

 

 

[adrotate banner=”9″]

(Security Affairs – BT Wi-Fi extenders, hacking)