Barco wePresent Authentication Bypass

Vulnerability Details

Affected Vendor: Barco
Affected Product: wePresent WiPG-1600W
Affected Version: 2.5.1.8
Platform: Embedded Linux
CWE Classification: CWE-288: Authentication Bypass Using an Alternate Path or Channel
CVE ID: CVE-2020-28333

Vulnerability Description

The Barco wePresent web interface does not use session cookies
for tracking authenticated sessions. Instead, the web interface
uses a “SEID” token that is appended to the end of URLs in GET
requests. Thus the “SEID” would be exposed in web proxy logs
and browser history. An attacker that is able to capture the
“SEID” and originate requests from the same IP address (via
a NAT device or web proxy) would be able to access the user
interface of the device without having to know the credentials.

Technical Description

In order to make configuration changes to the Barco wePresent
WiPG-1600W, a “random” value sent to the web interface client
from the device is required to be provided – the “SEID”. It
seems to be acting like a Session ID in a cookie. However,
the “SEID” is passed as a parameter in URLs and in the body
of POSTs. Since it is passed as a parameter in the URL, it
can be logged by web proxies or browser history. An example is:

https://192.168.2.200/cgi-bin/web_index.cgi?lang=en&src=AwSystem.html&ertqVvnKV4TjU9Vt

Where “ertqVvnKV4TjU9Vt” is the SEID. No session cookie exists,
just this value passed on the URL as a parameter, and in the
body of POSTs to make configuration changes. This SEID is all
that is required to access pages behind authentication or to
make configuration changes via POSTs. There is no Authorization
header passed in the HTTP requests.

Mitigation and Remediation Recommendation

The vendor has released an updated firmware (2.5.3.12) which
remediates the described vulnerability. Firmware and release
notes are available at:

https://www.barco.com/en/support/software/R33050104

Credit

This vulnerability was discovered by Jim Becher (@jimbecher) of
KoreLogic, Inc.

Disclosure Timeline

2020.08.24 - KoreLogic submits vulnerability details to
Barco.
2020.08.25 - Barco acknowledges receipt and the intention
to investigate.
2020.09.21 - Barco notifies KoreLogic that this issue,
along with several others reported by KoreLogic,
will require more than the standard 45 business
day remediation timeline. Barco requests to delay
coordinated disclosure until 2020.12.11.
2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure.
2020.09.25 - Barco informs KoreLogic of their intent to acquire
CVE number for this vulnerability.
2020.11.09 - Barco shares CVE number with KoreLogic and announces
their intention to release the updated firmware
ahead of schedule, on 2020.11.11. Request that KoreLogic
delay public disclosure until 2020.11.20.
2020.11.11 - Barco firmware release.
2020.11.20 - KoreLogic public disclosure.

Proof of Concept

See section (3) Technical Description.