exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Barco wePresent Hardcoded API Credentials

Barco wePresent Hardcoded API Credentials
Posted Nov 20, 2020
Authored by Jim Becher | Site korelogic.com

Barco wePresent device firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Versions affected include 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19.

tags | exploit
advisories | CVE-2020-28329
SHA-256 | 22801e1943167d9cae8f39b9e75645ceb62540439a7d2d3cf58ea0fee603d235

Barco wePresent Hardcoded API Credentials

Change Mirror Download
KL-001-2020-004 : Barco wePresent Hardcoded API Credentials

Title: Barco wePresent Hardcoded API Credentials
Advisory ID: KL-001-2020-004
Publication Date: 2020.11.20
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-004.txt


1. Vulnerability Details

Affected Vendor: Barco
Affected Product: wePresent WiPG-1600W
Affected Version: 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19
Platform: Embedded Linux
CWE Classification: CWE-798: Use of Hard-coded Credentials
CVE ID: CVE-2020-28329


2. Vulnerability Description

Barco wePresent device firmware includes a hardcoded API
account and password that is discoverable by inspecting the
firmware image. A malicious actor could use this password to
access authenticated, administrative functions in the API.


3. Technical Description

This vulnerability concerns the existence of default, hardcoded
credentials that can be used to access an API service listening
on port 4001/tcp.

The password exists in clear text in /etc/lighthttp/admin and in
a hashed form in etc/lighttpd/lighttpd.user. This information
was obtained by downloading the firmware from wePresent's
site and unpacking the firmware. URL for the firmware is
https://www.barco.com/en/support/wepresent-wipg-1600W/drivers.
Binwalk, with recursive scanning of extracted files, only
partially unpacks the firmware. We devised a way to gracefully
unpack the firmware using 'dd', see KL-001-2020-009 for
further details.


4. Mitigation and Remediation Recommendation

The vendor has released an updated firmware (2.5.3.12) which
remediates the described vulnerability. Firmware and release
notes are available at:

https://www.barco.com/en/support/software/R33050104


5. Credit

This vulnerability was discovered by Jim Becher (@jimbecher) of
KoreLogic, Inc.


6. Disclosure Timeline

2020.08.24 - KoreLogic submits vulnerability details to
Barco.
2020.08.25 - Barco acknowledges receipt and the intention
to investigate.
2020.09.21 - Barco notifies KoreLogic that this issue,
along with several others reported by KoreLogic,
will require more than the standard 45 business
day remediation timeline. Barco requests to delay
coordinated disclosure until 2020.12.11.
2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure.
2020.09.25 - Barco informs KoreLogic of their intent to acquire
CVE number for this vulnerability.
2020.11.09 - Barco shares CVE number with KoreLogic and announces
their intention to release the updated firmware
ahead of schedule, on 2020.11.11. Request that KoreLogic
delay public disclosure until 2020.11.20.
2020.11.11 - Barco firmware release.
2020.11.20 - KoreLogic public disclosure.


7. Proof of Concept


After unpacking the firmware:
$ ls -al etc/lighttpd/admin
-rwxr-xr-x 1 jbecher jbecher 36 Feb 6 23:42 etc/lighttpd/admin

$ more etc/lighttpd/admin
[REDACTED]


The contents of this advisory are copyright(c) 2020
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close