Barco wePresent Authentication Bypass

Vulnerability Description

The Barco wePresent web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a “SEID” token that is appended to the end of URLs in GET requests. Thus the “SEID” would be exposed in web proxy logs and browser history. An attacker that is able to capture the “SEID” and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials.

Technical Description

In order to make configuration changes to the Barco wePresent WiPG-1600W, a “random” value sent to the web interface client from the device is required to be provided — the “SEID”. It seems to be acting like a Session ID in a cookie. However, the “SEID” is passed as a parameter in URLs and in the body of POSTs. Since it is passed as a parameter in the URL, it can be logged by web proxies or browser history. An example is:

https://192.168.2.200/cgi-bin/web_index.cgi?lang=en&src=AwSystem.html&ertqVvnKV4TjU9Vt

Where ertqVvnKV4TjU9Vt is the SEID. No session cookie exists, just this value passed on the URL as a parameter, and in the body of POSTs to make configuration changes. This SEID is all that is required to access pages behind authentication or to make configuration changes via POSTs. There is no Authorization header passed in the HTTP requests.

Mitigation and Remediation Recommendation

The vendor has released an updated firmware (2.5.3.12) which remediates the described vulnerability. Firmware and release notes are available at:

https://www.barco.com/en/support/software/R33050104

Credit

This vulnerability was discovered by Jim Becher (@jimbecher) of KoreLogic, Inc.

Proof of Concept

See section (3) Technical Description.

The contents of this advisory are copyright(c) 2020 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt