Affected Systems
Discovered By
Vulnerability Details
Vulnerability Description
Barco wePresent device firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API.
Technical Description
This vulnerability concerns the existence of default, hardcoded
credentials that can be used to access an API service listening
on port 4001/tcp.
The password exists in clear text in /etc/lighthttp/admin and in
a hashed form in etc/lighttpd/lighttpd.user. This information
was obtained by downloading the firmware from wePresent’s
site and unpacking the firmware. URL for the firmware is
https://www.barco.com/en/support/wepresent-wipg-1600W/drivers.
Binwalk, with recursive scanning of extracted files, only
partially unpacks the firmware. We devised a way to gracefully
unpack the firmware using ‘dd’, see KL-001-2020-009 for
further details.
Mitigation and Remediation Recommendation
The vendor has released an updated firmware (2.5.3.12) which remediates the described vulnerability. Firmware and release notes are available at:
https://www.barco.com/en/support/software/R33050104
Credit
This vulnerability was discovered by Jim Becher (@jimbecher) of KoreLogic, Inc.
Proof of Concept
After unpacking the firmware:
$ ls -al etc/lighttpd/admin
-rwxr-xr-x 1 jbecher jbecher 36 Feb 6 23:42 etc/lighttpd/admin
$ more etc/lighttpd/admin
[REDACTED]The contents of this advisory are copyright(c) 2020 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
Disclosure Timeline
KoreLogic submits vulnerability details to Barco.
Barco acknowledges receipt and the intention to investigate.
Barco notifies KoreLogic that this issue, along with several others reported by KoreLogic, will require more than the standard 45 business day remediation timeline. Barco requests to delay coordinated disclosure until 2020.12.11.
KoreLogic agrees to 2020.12.11 coordinated disclosure.
Barco informs KoreLogic of their intent to acquire CVE number for this vulnerability.
Barco shares CVE number with KoreLogic and announces their intention to release the updated firmware ahead of schedule, on 2020.11.11. Request that KoreLogic delay public disclosure until 2020.11.20.
Barco firmware release.
KoreLogic public disclosure.
Responsible Disclosure
KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.