-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

KL-001-2020-004 : Barco wePresent Hardcoded API Credentials

Title: Barco wePresent Hardcoded API Credentials
Advisory ID: KL-001-2020-004
Publication Date: 2020.11.20
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-004.txt


1. Vulnerability Details

     Affected Vendor: Barco
     Affected Product: wePresent WiPG-1600W
     Affected Version: 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19
     Platform: Embedded Linux
     CWE Classification: CWE-798: Use of Hard-coded Credentials
     CVE ID: CVE-2020-28329


2. Vulnerability Description

     Barco wePresent device firmware includes a hardcoded API
     account and password that is discoverable by inspecting the
     firmware image. A malicious actor could use this password to
     access authenticated, administrative functions in the API.


3. Technical Description

     This vulnerability concerns the existence of default, hardcoded
     credentials that can be used to access an API service listening
     on port 4001/tcp.

     The password exists in clear text in /etc/lighthttp/admin and in
     a hashed form in etc/lighttpd/lighttpd.user. This information
     was obtained by downloading the firmware from wePresent's
     site and unpacking the firmware. URL for the firmware is
     https://www.barco.com/en/support/wepresent-wipg-1600W/drivers.
     Binwalk, with recursive scanning of extracted files, only
     partially unpacks the firmware. We devised a way to gracefully
     unpack the firmware using 'dd', see KL-001-2020-009 for
     further details.


4. Mitigation and Remediation Recommendation

     The vendor has released an updated firmware (2.5.3.12) which
     remediates the described vulnerability. Firmware and release
     notes are available at:

     https://www.barco.com/en/support/software/R33050104


5. Credit

     This vulnerability was discovered by Jim Becher (@jimbecher) of
     KoreLogic, Inc.


6. Disclosure Timeline

     2020.08.24 - KoreLogic submits vulnerability details to
                  Barco.
     2020.08.25 - Barco acknowledges receipt and the intention
                  to investigate.
     2020.09.21 - Barco notifies KoreLogic that this issue, 
                  along with several others reported by KoreLogic,
                  will require more than the standard 45 business
                  day remediation timeline. Barco requests to delay 
                  coordinated disclosure until 2020.12.11.
     2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure.
     2020.09.25 - Barco informs KoreLogic of their intent to acquire
                  CVE number for this vulnerability.
     2020.11.09 - Barco shares CVE number with KoreLogic and announces
                  their intention to release the updated firmware
                  ahead of schedule, on 2020.11.11. Request that KoreLogic
                  delay public disclosure until 2020.11.20.
     2020.11.11 - Barco firmware release.
     2020.11.20 - KoreLogic public disclosure.


7. Proof of Concept


     After unpacking the firmware:
     $ ls -al etc/lighttpd/admin 
     -rwxr-xr-x 1 jbecher jbecher 36 Feb  6 23:42 etc/lighttpd/admin
     
     $ more etc/lighttpd/admin
     [REDACTED]


The contents of this advisory are copyright(c) 2020
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCAA4FiEETtzSIGy8wE6Vn0geUk0uR1lFz/MFAl+4JqkaHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQUk0uR1lFz/PZLxAA5ruH1jttyItFnr3YD5WZ
RQjq/3ye30g7SNhZFc6uDGpFGUAroQu4qFrBpGuNeadSicIsbwEuAbB9U7T1z0wV
AkkaRVuS5hb7wTVbOB2X4KTaosHwWZ6KTJ2iFJypn9s2R0eMMbUYhCqSysTYxtwm
DxJk9Vk+SKRTmwAajAkq1cbxJgCxNFxU5hbvjDdKusPf+3csRz/rQOig4u+LhMAf
DbRvZ1ueU1M8g7U4wXQJogKfI98mk9Xyd0rGjJbHXcfnwBtPVe1DVQTAGcw8HJCO
mzS0GEe/B94qxYZAM2TlqxVJPXsozszsU4liUIH6l/U6b+6M9N9Aa/9Krqh9cpGh
CmnxPAP72JtXc+BvmPSnG14uqyHBovnu2Imq/KQZ9H2RSdH2mf8neWFqlBNI+8BK
0VhWulu84NI4vmlVTd9Oyb1vzjGjhmk6f9L/Wvk8BnrLGtJbGf+GiEsxGosfJ+GJ
PE0qqbIZ9BfP6G9lMesCa/TfNdXYpJ3WYygag/4XIldDeutU6cGTMeS7Mx6c/3Me
PYw1xcm1PGnmVsfRbM3blqlHnL/BdjdkwetsatLpjgo4qU1J3IVoQEGWv1etlV7F
wEOK+3J/QpAOqT1+gEopAnsXuR+FkgJDNmGH9xyoD8CeFgeZNlhfZMZBQV1jE/3U
luZcMC+yCpvIhOwwZsQSpCk=
=ie1H
-----END PGP SIGNATURE-----